Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
j95Whg3AY1.exe

Overview

General Information

Sample name:j95Whg3AY1.exe
renamed because original name is a hash value
Original sample name:c3b52d80ea14e12c171738b75522d8a7.exe
Analysis ID:1484487
MD5:c3b52d80ea14e12c171738b75522d8a7
SHA1:20a07c67ba0832bdc86d84f0f778d7899b425681
SHA256:bc3d71c158c5ed330e165afc86a770af4710fffc44e7507d70d72ae69b2b82c0
Tags:32exe
Infos:

Detection

Poverty Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Poverty Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to query CPU information (cpuid)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • j95Whg3AY1.exe (PID: 3092 cmdline: "C:\Users\user\Desktop\j95Whg3AY1.exe" MD5: C3B52D80EA14E12C171738B75522D8A7)
    • RegAsm.exe (PID: 6548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
{"C2 url": "85.244.212.106:2227"}
SourceRuleDescriptionAuthorStrings
00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
    00000000.00000002.2008493412.00000000031C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
      Process Memory Space: j95Whg3AY1.exe PID: 3092JoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 6548JoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          SourceRuleDescriptionAuthorStrings
          1.2.RegAsm.exe.400000.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            0.2.j95Whg3AY1.exe.3206c88.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              0.2.j95Whg3AY1.exe.32162ec.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                0.2.j95Whg3AY1.exe.320e2e4.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  1.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                    Click to see the 3 entries
                    No Sigma rule has matched
                    No Snort rule has matched
                    Timestamp:2024-07-30T07:27:18.095662+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49705
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-30T07:27:57.033136+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49713
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-30T07:27:05.358298+0200
                    SID:2048736
                    Source Port:49704
                    Destination Port:2227
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: j95Whg3AY1.exeAvira: detected
                    Source: 1.2.RegAsm.exe.400000.0.raw.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "85.244.212.106:2227"}
                    Source: j95Whg3AY1.exeReversingLabs: Detection: 68%
                    Source: j95Whg3AY1.exeVirustotal: Detection: 72%Perma Link
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: j95Whg3AY1.exeJoe Sandbox ML: detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401D21 CryptUnprotectData,CryptProtectData,1_2_00401D21
                    Source: j95Whg3AY1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: RegAsm.exe, 00000001.00000002.2079040616.000000000998F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2240302530.000000000F4F0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2121479676.000000000B666000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2104375834.000000000ADD3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2082659725.0000000009F4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A643000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2164105718.000000000D158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2135653167.000000000BF80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2179280242.000000000DA47000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2219587780.000000000EBFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2149304160.000000000C8BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079840748.0000000009B3B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A649000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2196846221.000000000E2E1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2197498649.000000000E2FD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntkrnlmp.pdbx source: RegAsm.exe, 00000001.00000002.2079040616.000000000998F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2240302530.000000000F4F0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2121479676.000000000B666000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2104375834.000000000ADD3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2082659725.0000000009F4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A643000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2164105718.000000000D158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2135653167.000000000BF80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2179280242.000000000DA47000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2219587780.000000000EBFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2149304160.000000000C8BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079840748.0000000009B3B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2196846221.000000000E2E1000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntkrnlmp.pdb source: RegAsm.exe, 00000001.00000002.2121479676.000000000B666000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2179280242.000000000DA4A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2164105718.000000000D158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2135653167.000000000BF80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2219587780.000000000EBFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2104375834.000000000ADBB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2149304160.000000000C8C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A649000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2197498649.000000000E2FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2240302530.000000000F4EB000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,1_2_00401000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401DC9 FindFirstFileW,FindNextFileW,1_2_00401DC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00404EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,1_2_00404EB2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00404145 FindFirstFileW,FindNextFileW,1_2_00404145
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00403F87 FindFirstFileW,FindNextFileW,1_2_00403F87
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior

                    Networking

                    barindex
                    Source: Malware configuration extractorURLs: 85.244.212.106:2227
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.244.212.106:2227
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.212.106
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yaho
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00404C2D GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,1_2_00404C2D

                    System Summary

                    barindex
                    Source: j95Whg3AY1.exe, Program.csLong String: Length: 40300
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeCode function: 0_2_016F19C00_2_016F19C0
                    Source: j95Whg3AY1.exe, 00000000.00000000.2006176332.0000000000EA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNetStub.exe0 vs j95Whg3AY1.exe
                    Source: j95Whg3AY1.exe, 00000000.00000002.2007720343.00000000013BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs j95Whg3AY1.exe
                    Source: j95Whg3AY1.exeBinary or memory string: OriginalFilenameNetStub.exe0 vs j95Whg3AY1.exe
                    Source: j95Whg3AY1.exe, Program.csBase64 encoded string: 'QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2NC4wLjMwMzE5XFJlZ0FzbS5leGU='
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\j95Whg3AY1.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\0060cbb5-1dbd-468c-b2ba-03be756aa1c1
                    Source: j95Whg3AY1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: j95Whg3AY1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: j95Whg3AY1.exeReversingLabs: Detection: 68%
                    Source: j95Whg3AY1.exeVirustotal: Detection: 72%
                    Source: unknownProcess created: C:\Users\user\Desktop\j95Whg3AY1.exe "C:\Users\user\Desktop\j95Whg3AY1.exe"
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: j95Whg3AY1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: j95Whg3AY1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: RegAsm.exe, 00000001.00000002.2079040616.000000000998F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2240302530.000000000F4F0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2121479676.000000000B666000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2104375834.000000000ADD3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2082659725.0000000009F4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A643000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2164105718.000000000D158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2135653167.000000000BF80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2179280242.000000000DA47000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2219587780.000000000EBFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2149304160.000000000C8BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079840748.0000000009B3B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A649000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2196846221.000000000E2E1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2197498649.000000000E2FD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntkrnlmp.pdbx source: RegAsm.exe, 00000001.00000002.2079040616.000000000998F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2240302530.000000000F4F0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2121479676.000000000B666000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2104375834.000000000ADD3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2082659725.0000000009F4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A643000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2164105718.000000000D158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2135653167.000000000BF80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2179280242.000000000DA47000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2219587780.000000000EBFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2149304160.000000000C8BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079840748.0000000009B3B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2196846221.000000000E2E1000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntkrnlmp.pdb source: RegAsm.exe, 00000001.00000002.2121479676.000000000B666000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2179280242.000000000DA4A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2164105718.000000000D158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2135653167.000000000BF80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2219587780.000000000EBFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2104375834.000000000ADBB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2149304160.000000000C8C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093887513.000000000A649000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2197498649.000000000E2FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2240302530.000000000F4EB000.00000004.00000020.00020000.00000000.sdmp
                    Source: j95Whg3AY1.exeStatic PE information: 0xAC5EDBAF [Mon Aug 22 00:56:15 2061 UTC]
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-2313
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory allocated: 51C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exe TID: 6544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,1_2_00401000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401DC9 FindFirstFileW,FindNextFileW,1_2_00401DC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00404EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,1_2_00404EB2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00404145 FindFirstFileW,FindNextFileW,1_2_00404145
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00403F87 FindFirstFileW,FindNextFileW,1_2_00403F87
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004020E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,1_2_004020E1
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: RegAsm.exe, 00000001.00000002.2120417689.000000000B578000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlles
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: RegAsm.exe, 00000001.00000002.2201815102.000000000E4E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004035C3 GetProcessHeap,RtlFreeHeap,1_2_004035C3
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: j95Whg3AY1.exe, MTD.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                    Source: j95Whg3AY1.exe, MTD.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                    Source: j95Whg3AY1.exe, MTD.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                    Source: j95Whg3AY1.exe, MTD.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
                    Source: j95Whg3AY1.exe, MTD.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 407000Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 408000Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 409000Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D9C008Jump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004020E1 cpuid 1_2_004020E1
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeQueries volume information: C:\Users\user\Desktop\j95Whg3AY1.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\j95Whg3AY1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.3206c88.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.32162ec.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.320e2e4.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.320e2e4.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.32162ec.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.3206c88.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2008493412.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: j95Whg3AY1.exe PID: 3092, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6548, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.3206c88.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.32162ec.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.320e2e4.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.320e2e4.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.32162ec.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.j95Whg3AY1.exe.3206c88.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2008493412.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: j95Whg3AY1.exe PID: 3092, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6548, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    311
                    Process Injection
                    1
                    Masquerading
                    1
                    OS Credential Dumping
                    11
                    Security Software Discovery
                    Remote Services1
                    Screen Capture
                    2
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading
                    1
                    Disable or Modify Tools
                    LSASS Memory31
                    Virtualization/Sandbox Evasion
                    Remote Desktop Protocol1
                    Archive Collected Data
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin Shares1
                    Data from Local System
                    1
                    Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                    Process Injection
                    NTDS23
                    System Information Discovery
                    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information
                    LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp
                    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    j95Whg3AY1.exe68%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                    j95Whg3AY1.exe73%VirustotalBrowse
                    j95Whg3AY1.exe100%AviraTR/Dropper.Gen
                    j95Whg3AY1.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yaho0%Avira URL Cloudsafe
                    85.244.212.106:22270%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    85.244.212.106:2227true
                    • Avira URL Cloud: safe
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ac.ecosia.org/autocomplete?q=RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoRegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://duckduckgo.com/ac/?q=RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.ecosia.org/newtab/RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2079213275.00000000099A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegAsm.exe, 00000001.00000002.2105571623.000000000AEEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2137856949.000000000C0A4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2093441001.000000000A5C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    185.244.212.106
                    unknownRomania
                    9009M247GBfalse
                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1484487
                    Start date and time:2024-07-30 07:26:10 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 57s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:j95Whg3AY1.exe
                    renamed because original name is a hash value
                    Original Sample Name:c3b52d80ea14e12c171738b75522d8a7.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 8
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    No simulations
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.244.212.106F7fahhucBo.exeGet hashmaliciousPoverty StealerBrowse
                      IxE6TjWjRM.exeGet hashmaliciousPoverty StealerBrowse
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        M247GBF7fahhucBo.exeGet hashmaliciousPoverty StealerBrowse
                        • 185.244.212.106
                        COMANDA BELOR NR13 DIN 240715.xlsGet hashmaliciousRemcosBrowse
                        • 194.187.251.115
                        AKPSrAWl2G.elfGet hashmaliciousMiraiBrowse
                        • 193.32.99.139
                        5oXS6HtbzC.elfGet hashmaliciousMiraiBrowse
                        • 185.90.60.83
                        AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                        • 194.187.251.115
                        danabot.exeGet hashmaliciousDanaBotBrowse
                        • 172.86.76.246
                        danabot.exeGet hashmaliciousDanaBotBrowse
                        • 172.86.76.246
                        file.exeGet hashmaliciousSystemBCBrowse
                        • 89.238.188.232
                        LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                        • 38.207.19.49
                        LisectAVT_2403002B_374.exeGet hashmaliciousXenoRATBrowse
                        • 37.120.141.155
                        No context
                        No context
                        Process:C:\Users\user\Desktop\j95Whg3AY1.exe
                        File Type:CSV text
                        Category:dropped
                        Size (bytes):425
                        Entropy (8bit):5.353683843266035
                        Encrypted:false
                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                        MD5:859802284B12C59DDBB85B0AC64C08F0
                        SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                        SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                        SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..
                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):4.306140783623506
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:j95Whg3AY1.exe
                        File size:92'160 bytes
                        MD5:c3b52d80ea14e12c171738b75522d8a7
                        SHA1:20a07c67ba0832bdc86d84f0f778d7899b425681
                        SHA256:bc3d71c158c5ed330e165afc86a770af4710fffc44e7507d70d72ae69b2b82c0
                        SHA512:c576b239ef96f6a34b6ae3161280447468a23aeda711e33ac78211d1f04809f946a0f51aa715c6d56b41d25d28965a953ed590569087f8226eccf8e695de02be
                        SSDEEP:1536:iWafDEpCdzqHFv8FIcHFbd8iZyACQk6r4L8mPaNJNUzLata/o2G7n:iWafDEpC4vTclTycke4o0aNzUFL0
                        TLSH:E1933C283AFE502AF173EF755BE87996DA6FB6332B07A45E109003460B23A81DDD153D
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^..........."...0..^...........}... ........@.. ....................................`................................
                        Icon Hash:00928e8e8686b000
                        Entrypoint:0x417dee
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0xAC5EDBAF [Mon Aug 22 00:56:15 2061 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x17d940x57.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x596.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x15df40x15e00a112cdf040b904a344f4b142733be202False0.5004241071428571data4.31601787292021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x180000x5960x60092b255ce996701e84bb56ddf4acad581False0.4114583333333333data4.045231581385585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x1a0000xc0x2003e4b63f141f3557c9f3a8194cdc25afaFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x180a00x30cdata0.4230769230769231
                        RT_MANIFEST0x183ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                        DLLImport
                        mscoree.dll_CorExeMain
                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-30T07:27:18.095662+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970513.85.23.86192.168.2.5
                        2024-07-30T07:27:57.033136+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971313.85.23.86192.168.2.5
                        2024-07-30T07:27:05.358298+0200TCP2048736ET MALWARE PovertyStealer Exfiltration M3497042227192.168.2.5185.244.212.106
                        TimestampSource PortDest PortSource IPDest IP
                        Jul 30, 2024 07:27:05.340850115 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.349751949 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.349869967 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.349920034 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.350214958 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.358230114 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358242035 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358251095 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358289003 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358298063 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358298063 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.358341932 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.358398914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358407974 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358453989 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.358525038 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358566999 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.358572006 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.358607054 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.364439011 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.364495039 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.364604950 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.364650011 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.364911079 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.364918947 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.364959002 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.365221977 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.365231037 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.365276098 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.365353107 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.365401030 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.365437984 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.365511894 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.414329052 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.414484024 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.466231108 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.466337919 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.518238068 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.518292904 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.566389084 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.566447020 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.614597082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.614651918 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.666246891 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.666313887 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.714207888 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.714268923 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.766437054 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.766499043 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.818319082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.818413019 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.839063883 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.839215040 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845004082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845016003 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845032930 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845041990 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845048904 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845057964 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845067978 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845071077 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845073938 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845077038 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845083952 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845088005 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845097065 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845105886 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845118046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845129013 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845145941 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845154047 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845180035 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845180035 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845180035 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845247030 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845309973 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845355988 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845444918 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845453978 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845470905 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845479012 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845483065 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845505953 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845525980 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.845552921 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845561981 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845566034 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.845619917 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851032019 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851042032 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851047993 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851063967 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851104021 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851120949 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851130009 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851135015 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851164103 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851200104 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851243973 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851337910 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851346016 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851353884 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851356983 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851366997 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851393938 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851408005 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851408958 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851445913 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851655006 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851671934 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851680040 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851686954 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851692915 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851712942 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851726055 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851756096 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851763964 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851773024 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.851798058 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.851808071 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852030039 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852037907 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852045059 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852065086 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852072954 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852081060 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852083921 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852088928 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852092981 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852097034 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852097034 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852113008 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852113008 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852122068 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852128983 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852147102 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852163076 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852179050 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852194071 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852201939 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852217913 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852227926 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852245092 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852246046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852245092 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852253914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852272034 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852288008 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852420092 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852427959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852442980 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852451086 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852458000 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852468967 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852472067 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852477074 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852494001 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852499962 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852509022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852518082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852519989 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852524996 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852535963 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852541924 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852544069 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.852555990 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852574110 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.852585077 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.856879950 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.856890917 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.856906891 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.856915951 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.856945038 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.856960058 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.856969118 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.856978893 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.856991053 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.857007027 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.857017040 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.857031107 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.857044935 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.859456062 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.859519005 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.859554052 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.859564066 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.859572887 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.859599113 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.859615088 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860018015 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860025883 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860033989 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860042095 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860049963 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860060930 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860069990 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860084057 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860110044 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860157013 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860167980 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860173941 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860202074 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860214949 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860271931 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860307932 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860363007 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860372066 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860379934 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860388994 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860394955 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860404968 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860407114 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860414982 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860421896 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860434055 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860441923 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860446930 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860449076 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860457897 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860466003 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860467911 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860470057 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860476017 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860493898 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860497952 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860502005 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860510111 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860518932 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860526085 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860529900 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860536098 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860543966 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860579014 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.860944986 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860954046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860970974 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860979080 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.860990047 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861005068 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861017942 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861085892 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861094952 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861104012 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861133099 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861152887 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861155987 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861201048 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861260891 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861269951 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861304045 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861332893 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861370087 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861372948 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861408949 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.861449003 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861459970 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.861488104 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.864356995 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864367962 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864376068 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864384890 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864392996 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864401102 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864408970 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.864442110 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.864475012 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865061998 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865082979 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865101099 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865115881 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865186930 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865195036 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865231037 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865235090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865277052 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865744114 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865751982 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865791082 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865849018 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865860939 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865875959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865884066 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865890980 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865891933 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865901947 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865911007 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865911007 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865931034 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865931988 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865940094 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.865945101 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865961075 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.865974903 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866430044 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866481066 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866486073 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866523981 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866533041 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866540909 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866576910 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866601944 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866610050 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866612911 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866647005 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866722107 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866730928 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866750002 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866759062 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866761923 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866764069 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866765022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866772890 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866780996 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866787910 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866790056 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866806030 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866813898 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866813898 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866832972 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866837025 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866842031 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866849899 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866858959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.866862059 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866890907 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.866906881 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.867630959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867660999 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867670059 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867676020 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.867677927 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867686987 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867693901 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867702961 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867706060 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.867717981 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867732048 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867738008 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.867739916 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867748022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867757082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867763996 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.867763996 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.867779970 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.867803097 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.868882895 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.868891001 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.868942976 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.888959885 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889018059 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889050007 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889095068 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889209032 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889219046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889225960 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889265060 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889333963 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889343023 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889345884 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889352083 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889355898 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889399052 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889399052 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889461040 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889468908 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889476061 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889478922 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889484882 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889492989 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889518976 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889539003 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889600039 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889607906 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889614105 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889619112 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889650106 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889662027 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889694929 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889703035 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889709949 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889717102 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889725924 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889733076 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889736891 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889763117 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889779091 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889816999 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889825106 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889832020 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889843941 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889852047 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889858961 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889863968 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889874935 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889903069 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.889962912 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.889972925 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890012980 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890029907 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890105009 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890120983 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890127897 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890137911 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890146971 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890155077 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890161037 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890180111 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890203953 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890222073 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890230894 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890237093 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890265942 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890278101 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890317917 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890326977 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890333891 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890341043 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890348911 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890357018 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890362024 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890364885 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890373945 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890383959 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890388966 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890397072 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890400887 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890405893 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890413046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890420914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890429020 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890439987 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890445948 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890454054 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890471935 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890490055 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890494108 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890499115 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890512943 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890530109 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890543938 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890549898 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890590906 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890646935 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890657902 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890676975 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.890701056 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.890717030 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896369934 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896428108 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896640062 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896650076 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896652937 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896668911 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896677017 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896683931 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896692038 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896692991 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896696091 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896706104 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896713018 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896717072 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896720886 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896728992 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896734953 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896743059 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896749020 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896756887 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896763086 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896770954 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896785975 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896785975 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896794081 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896801949 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896804094 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896809101 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896826029 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896861076 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896918058 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896925926 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896934032 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896941900 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.896975040 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.896975040 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897033930 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897042036 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897048950 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897056103 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897075891 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897088051 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897116899 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897125959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897131920 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897135019 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897172928 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897258043 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897274017 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897281885 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897289038 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897290945 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897299051 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897301912 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897305965 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897346973 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897389889 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897398949 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897402048 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897408009 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897416115 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897433043 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897448063 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897449970 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897456884 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897463083 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897469997 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897478104 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897480965 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897489071 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897489071 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897497892 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897499084 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897505999 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897514105 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897520065 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897521973 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897546053 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897559881 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897562027 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897572041 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897578001 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897581100 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897588015 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897597075 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897605896 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897609949 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897615910 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897624016 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897633076 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897639036 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897646904 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897663116 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897670984 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897679090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897711992 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.897712946 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.897747993 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901298046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901345015 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901613951 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901633024 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901639938 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901678085 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901688099 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901715040 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901732922 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901741028 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901758909 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901782036 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901793957 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901813984 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901823044 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901849985 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901855946 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901859045 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901887894 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901889086 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901897907 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901925087 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.901932001 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.901977062 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902000904 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902009010 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902050972 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902057886 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902101994 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902371883 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902380943 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902415991 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902535915 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902575016 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902734995 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902743101 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902750015 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902755022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902761936 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902769089 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902790070 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902805090 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.902838945 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902847052 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902849913 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902853012 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902859926 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902863026 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.902909994 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903155088 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903162956 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903213978 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903244019 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903254986 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903260946 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903264046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903266907 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903270960 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903279066 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903286934 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903295994 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903328896 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903328896 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903328896 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903337955 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903345108 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903352022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903359890 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903367043 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903368950 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903373957 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903382063 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903388023 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903388977 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903398037 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903405905 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903413057 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903419971 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903440952 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903449059 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903455019 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903461933 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903495073 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.903954983 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.903964043 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904005051 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.904079914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904088020 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904094934 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904103041 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904119968 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.904135942 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.904182911 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904191971 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904195070 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904201031 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904203892 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904212952 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904221058 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904222965 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904234886 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904242039 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.904247999 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.904263973 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.904279947 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.906336069 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.906392097 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.906923056 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.906933069 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.906965017 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907052040 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907061100 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907069921 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907078028 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907085896 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907111883 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907133102 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907152891 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907161951 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907167912 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907176018 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907182932 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907196045 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907215118 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907243013 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907250881 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907259941 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907267094 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907274961 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907283068 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907289028 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907289982 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907296896 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907303095 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907305956 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907319069 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907340050 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907569885 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907577991 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907614946 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907656908 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907704115 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907727957 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907737017 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907752991 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907759905 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907768011 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907773972 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907776117 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907783031 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907787085 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907810926 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907814980 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907819986 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907826900 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907828093 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.907846928 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.907869101 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908065081 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908109903 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908123016 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908168077 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908207893 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908222914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908257008 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908260107 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908263922 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908302069 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908308983 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908317089 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908346891 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908351898 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908360004 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908392906 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908406019 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908413887 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908446074 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908451080 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908459902 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908477068 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908495903 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908502102 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908508062 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908513069 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908515930 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908539057 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908543110 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908549070 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908580065 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.908726931 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.908771038 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.909080982 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909089088 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909127951 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.909161091 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909168959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909176111 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909185886 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909193039 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909195900 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909198999 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909199953 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.909205914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909214020 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909216881 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.909219980 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.909256935 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.909270048 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910420895 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910430908 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910438061 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910445929 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910478115 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910505056 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910530090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910537004 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910545111 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910552025 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910583973 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910583973 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910676956 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910720110 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910757065 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910795927 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.910798073 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.910831928 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.911303043 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.911345005 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912017107 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912026882 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912034035 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912044048 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912051916 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912071943 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912091970 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912106991 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912115097 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912122965 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912143946 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912147999 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912153006 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912159920 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912163973 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912187099 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912197113 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912272930 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912281990 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912313938 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912343979 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912381887 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912507057 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912516117 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912523031 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912530899 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912559986 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912574053 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912642002 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912650108 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912657022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912659883 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912691116 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912700891 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912771940 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912782907 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912794113 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912801981 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912818909 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912836075 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912873983 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912882090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912889004 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912895918 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912911892 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912930965 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.912988901 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.912997007 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913000107 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913003922 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913034916 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913060904 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913150072 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913157940 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913160086 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913203001 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913268089 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913281918 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913289070 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913304090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913312912 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913317919 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913331985 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913348913 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913381100 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913398981 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913408041 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913415909 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913423061 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913441896 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913460016 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913527012 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913536072 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913554907 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913562059 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913566113 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913569927 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913578033 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913594007 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913599014 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913602114 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913609982 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913615942 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913625956 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913633108 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913645029 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913659096 CEST497042227192.168.2.5185.244.212.106
                        Jul 30, 2024 07:27:05.913913965 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913991928 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.913999081 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914007902 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914061069 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914067984 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914076090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914184093 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914191961 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914237022 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914246082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.914256096 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915502071 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915512085 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915519953 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915528059 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915977001 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915986061 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.915993929 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.916002035 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.916011095 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.916018963 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.916027069 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.916034937 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917263031 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917709112 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917718887 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917728901 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917783976 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917792082 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917798996 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917924881 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917932987 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917939901 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.917947054 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918062925 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918071032 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918077946 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918272972 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918281078 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918289900 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918298006 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918304920 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918415070 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918473959 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918482065 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918488979 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918504000 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918510914 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918518066 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918530941 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918545961 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918564081 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918580055 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918656111 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918663979 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918685913 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918724060 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918772936 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918780088 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918855906 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918863058 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918900967 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.918910027 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919017076 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919023991 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919195890 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919277906 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919286013 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919321060 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919327974 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919363976 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919370890 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919413090 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919423103 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919431925 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919486046 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919492960 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919534922 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919543028 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919549942 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919565916 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919573069 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.919606924 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.953300953 CEST222749704185.244.212.106192.168.2.5
                        Jul 30, 2024 07:27:05.953371048 CEST497042227192.168.2.5185.244.212.106

                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Click to jump to process

                        Target ID:0
                        Start time:01:26:57
                        Start date:30/07/2024
                        Path:C:\Users\user\Desktop\j95Whg3AY1.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\j95Whg3AY1.exe"
                        Imagebase:0xea0000
                        File size:92'160 bytes
                        MD5 hash:C3B52D80EA14E12C171738B75522D8A7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.2008493412.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Target ID:1
                        Start time:01:26:57
                        Start date:30/07/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Imagebase:0xbd0000
                        File size:65'440 bytes
                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        Reset < >

                          Execution Graph

                          Execution Coverage:32.6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:19.4%
                          Total number of Nodes:36
                          Total number of Limit Nodes:3
                          execution_graph 1096 16f08a8 1097 16f08b3 1096->1097 1100 16f19c0 1097->1100 1102 16f19fd 1100->1102 1101 16f091c 1102->1101 1105 16f1228 Wow64SetThreadContext 1102->1105 1106 16f1221 Wow64SetThreadContext 1102->1106 1108 16f13b9 WriteProcessMemory 1102->1108 1109 16f13c0 WriteProcessMemory 1102->1109 1114 16f1648 1102->1114 1118 16f163c 1102->1118 1122 16f14a9 1102->1122 1126 16f14b0 1102->1126 1130 16f12f9 1102->1130 1134 16f1300 1102->1134 1138 16f1178 1102->1138 1105->1102 1106->1102 1108->1102 1109->1102 1115 16f16d1 CreateProcessA 1114->1115 1117 16f1893 1115->1117 1119 16f16d1 CreateProcessA 1118->1119 1121 16f1893 1119->1121 1125 16f14ae 1122->1125 1123 16f1529 ReadProcessMemory 1123->1125 1124 16f155c 1124->1102 1125->1123 1125->1124 1129 16f14e2 1126->1129 1127 16f1529 ReadProcessMemory 1127->1129 1128 16f155c 1128->1102 1129->1127 1129->1128 1131 16f1300 VirtualAllocEx 1130->1131 1133 16f137d 1131->1133 1133->1102 1135 16f1340 VirtualAllocEx 1134->1135 1137 16f137d 1135->1137 1137->1102 1139 16f11b8 ResumeThread 1138->1139 1141 16f11e9 1139->1141 1141->1102 1142 16f0898 1143 16f08a8 1142->1143 1145 16f19c0 11 API calls 1143->1145 1144 16f091c 1145->1144

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 120 16f19c0-16f19fa 121 16f19fd-16f1a77 120->121 237 16f1a7a call 16f163c 121->237 238 16f1a7a call 16f1648 121->238 125 16f1a7c-16f1a7e 126 16f200c-16f201f 125->126 127 16f1a84-16f1ac4 125->127 133 16f2026-16f2050 call 16f07ec 126->133 127->133 134 16f1aca-16f1ade 127->134 133->121 155 16f2056-16f205d 133->155 245 16f1ae1 call 16f1228 134->245 246 16f1ae1 call 16f1221 134->246 136 16f1ae3-16f1ae5 138 16f1aeb-16f1af5 136->138 139 16f1ff2-16f2005 136->139 138->133 140 16f1afb-16f1b23 138->140 139->126 252 16f1b26 call 16f14a9 140->252 253 16f1b26 call 16f14b0 140->253 144 16f1b28-16f1b2a 145 16f1fd8-16f1feb 144->145 146 16f1b30-16f1b33 144->146 145->139 149 16f1b35-16f1b4b 146->149 150 16f1b51-16f1b8e 146->150 149->150 156 16f1fbe-16f1fd1 149->156 250 16f1b91 call 16f12f9 150->250 251 16f1b91 call 16f1300 150->251 156->145 160 16f1b93-16f1b98 162 16f1b9e-16f1bb8 160->162 163 16f1fa4-16f1fb7 160->163 239 16f1bbb call 16f13b9 162->239 240 16f1bbb call 16f13c0 162->240 163->156 165 16f1bbd-16f1bbf 166 16f1f8a-16f1f9d 165->166 167 16f1bc5-16f1bea 165->167 166->163 171 16f1e91-16f1eb6 167->171 172 16f1bf0-16f1c63 167->172 248 16f1eb9 call 16f13b9 171->248 249 16f1eb9 call 16f13c0 171->249 197 16f1c65-16f1c67 172->197 198 16f1c71-16f1cea 172->198 177 16f1ebb-16f1ebd 178 16f1f56-16f1f69 177->178 179 16f1ec3-16f1ee6 177->179 188 16f1f70-16f1f83 178->188 179->133 184 16f1eec-16f1eff 179->184 243 16f1f02 call 16f1228 184->243 244 16f1f02 call 16f1221 184->244 187 16f1f04-16f1f06 189 16f1f3c-16f1f4f 187->189 190 16f1f08-16f1f17 call 16f1178 187->190 188->166 189->178 192 16f1f19-16f1f1c 190->192 192->155 195 16f1f22-16f1f35 192->195 195->189 197->198 210 16f1cec-16f1cee 198->210 211 16f1cf8-16f1d71 198->211 210->211 219 16f1d7f-16f1d89 211->219 220 16f1d73-16f1d75 211->220 221 16f1e7f-16f1e8b 219->221 222 16f1d8f-16f1e72 219->222 220->219 221->171 221->172 241 16f1e75 call 16f13b9 222->241 242 16f1e75 call 16f13c0 222->242 236 16f1e77-16f1e79 236->188 236->221 237->125 238->125 239->165 240->165 241->236 242->236 243->187 244->187 245->136 246->136 248->177 249->177 250->160 251->160 252->144 253->144
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID:
                          • String ID: <-]q
                          • API String ID: 0-2201693957
                          • Opcode ID: 2e859facc98a3dd6ab44cf395cf893f2e4d699135af1bb2068d8d0c2ddf5e363
                          • Instruction ID: 082136911b26510a7e553e51f6a313f0b38e42625332f29b370ae1b520420323
                          • Opcode Fuzzy Hash: 2e859facc98a3dd6ab44cf395cf893f2e4d699135af1bb2068d8d0c2ddf5e363
                          • Instruction Fuzzy Hash: E2025070B002199FDB18DB69CC50BAEBBB6BF88700F24855DD909AB395DF359C42CB94

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 16f163c-16f16dd 2 16f16df-16f16e9 0->2 3 16f1716-16f1736 0->3 2->3 4 16f16eb-16f16ed 2->4 10 16f176f-16f179e 3->10 11 16f1738-16f1742 3->11 5 16f16ef-16f16f9 4->5 6 16f1710-16f1713 4->6 8 16f16fd-16f170c 5->8 9 16f16fb 5->9 6->3 8->8 12 16f170e 8->12 9->8 19 16f17d7-16f1891 CreateProcessA 10->19 20 16f17a0-16f17aa 10->20 11->10 13 16f1744-16f1746 11->13 12->6 14 16f1769-16f176c 13->14 15 16f1748-16f1752 13->15 14->10 17 16f1756-16f1765 15->17 18 16f1754 15->18 17->17 21 16f1767 17->21 18->17 31 16f189a-16f1920 19->31 32 16f1893-16f1899 19->32 20->19 22 16f17ac-16f17ae 20->22 21->14 24 16f17d1-16f17d4 22->24 25 16f17b0-16f17ba 22->25 24->19 26 16f17be-16f17cd 25->26 27 16f17bc 25->27 26->26 29 16f17cf 26->29 27->26 29->24 42 16f1922-16f1926 31->42 43 16f1930-16f1934 31->43 32->31 42->43 44 16f1928-16f192b call 16f0254 42->44 45 16f1936-16f193a 43->45 46 16f1944-16f1948 43->46 44->43 45->46 50 16f193c-16f193f call 16f0254 45->50 47 16f194a-16f194e 46->47 48 16f1958-16f195c 46->48 47->48 51 16f1950-16f1953 call 16f0254 47->51 52 16f196e-16f1975 48->52 53 16f195e-16f1964 48->53 50->46 51->48 56 16f198c 52->56 57 16f1977-16f1986 52->57 53->52 59 16f198d 56->59 57->56 59->59
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 016F187E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 7194bc97fb2b90ddca0c67330800a2b25c98e362ca3079a931f8e80191321991
                          • Instruction ID: 39870a102b8ffe232129fe1fd9c44658868fc72e2859f94ad3118da660182840
                          • Opcode Fuzzy Hash: 7194bc97fb2b90ddca0c67330800a2b25c98e362ca3079a931f8e80191321991
                          • Instruction Fuzzy Hash: 9AA16971D00219CFEB24CF68CC40BEEBBB2BF4A354F148169E919A7240DB759985CF91

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 60 16f1648-16f16dd 62 16f16df-16f16e9 60->62 63 16f1716-16f1736 60->63 62->63 64 16f16eb-16f16ed 62->64 70 16f176f-16f179e 63->70 71 16f1738-16f1742 63->71 65 16f16ef-16f16f9 64->65 66 16f1710-16f1713 64->66 68 16f16fd-16f170c 65->68 69 16f16fb 65->69 66->63 68->68 72 16f170e 68->72 69->68 79 16f17d7-16f1891 CreateProcessA 70->79 80 16f17a0-16f17aa 70->80 71->70 73 16f1744-16f1746 71->73 72->66 74 16f1769-16f176c 73->74 75 16f1748-16f1752 73->75 74->70 77 16f1756-16f1765 75->77 78 16f1754 75->78 77->77 81 16f1767 77->81 78->77 91 16f189a-16f1920 79->91 92 16f1893-16f1899 79->92 80->79 82 16f17ac-16f17ae 80->82 81->74 84 16f17d1-16f17d4 82->84 85 16f17b0-16f17ba 82->85 84->79 86 16f17be-16f17cd 85->86 87 16f17bc 85->87 86->86 89 16f17cf 86->89 87->86 89->84 102 16f1922-16f1926 91->102 103 16f1930-16f1934 91->103 92->91 102->103 104 16f1928-16f192b call 16f0254 102->104 105 16f1936-16f193a 103->105 106 16f1944-16f1948 103->106 104->103 105->106 110 16f193c-16f193f call 16f0254 105->110 107 16f194a-16f194e 106->107 108 16f1958-16f195c 106->108 107->108 111 16f1950-16f1953 call 16f0254 107->111 112 16f196e-16f1975 108->112 113 16f195e-16f1964 108->113 110->106 111->108 116 16f198c 112->116 117 16f1977-16f1986 112->117 113->112 119 16f198d 116->119 117->116 119->119
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 016F187E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 09a5c4376d4a46598cdb28e3b831520da2518b2bc236b602f35ede1184c2accd
                          • Instruction ID: 54c73950f1284df5499c35a3afa540daf7971b402c754fc876f0d6b8ebe90135
                          • Opcode Fuzzy Hash: 09a5c4376d4a46598cdb28e3b831520da2518b2bc236b602f35ede1184c2accd
                          • Instruction Fuzzy Hash: 60916971D00219CFEB24CF69CC40BEEBBB2BF4A354F1481A9E919A7240DB759985CF91

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 254 16f14a9-16f14ac 255 16f14ae-16f14df 254->255 256 16f1523-16f1527 254->256 261 16f14e2-16f1522 255->261 258 16f155b 256->258 259 16f1529-16f153d ReadProcessMemory 256->259 260 16f155c-16f1576 258->260 258->261 262 16f153f-16f1545 259->262 263 16f1546-16f1554 259->263 261->256 262->263 263->258
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 016F1530
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 206e2e94c9ed56e926eed0288a3c76f15783bd942e1512961a4da48b126c6260
                          • Instruction ID: c1cd3d116dc1c0dac828e74e5155c87347261d94871cbd5dde15a82f44852a60
                          • Opcode Fuzzy Hash: 206e2e94c9ed56e926eed0288a3c76f15783bd942e1512961a4da48b126c6260
                          • Instruction Fuzzy Hash: 18317AB1D003899FCB10CFA9C844B9EBFB5FF49350F14845EE659AB291C7799944CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 268 16f1221-16f1273 272 16f1275-16f1281 268->272 273 16f1283-16f12b3 Wow64SetThreadContext 268->273 272->273 275 16f12bc-16f12ec 273->275 276 16f12b5-16f12bb 273->276 276->275
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 016F12A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 0e70f06610893d534d1cd3557900eb3afec98525f98bee3c85e07c98c7d992f5
                          • Instruction ID: dbf468658bd5d01d0141af36ff72cee65386577297add85212a041c69d8174ab
                          • Opcode Fuzzy Hash: 0e70f06610893d534d1cd3557900eb3afec98525f98bee3c85e07c98c7d992f5
                          • Instruction Fuzzy Hash: 1E2157B5D002098FDB10DFAAC885BEEBBF5AF49350F14802DD619A7340C7789585CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 16f13b9-16f140e 283 16f141e-16f145d WriteProcessMemory 280->283 284 16f1410-16f141c 280->284 286 16f145f-16f1465 283->286 287 16f1466-16f1496 283->287 284->283 286->287
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 016F1450
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 19a124a72416633fae89e65ad667ec51c0a1f18b425fd1c51d0f00fa001ad05d
                          • Instruction ID: cb2a7219f94762c874b39a6b680a301e3d1d31ffa5bd0ba19a7f74b680d1c547
                          • Opcode Fuzzy Hash: 19a124a72416633fae89e65ad667ec51c0a1f18b425fd1c51d0f00fa001ad05d
                          • Instruction Fuzzy Hash: FE214875900349DFDB10CFA9C881BEEBBF5FF49310F108429E559A7240C7789944CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 291 16f13c0-16f140e 293 16f141e-16f145d WriteProcessMemory 291->293 294 16f1410-16f141c 291->294 296 16f145f-16f1465 293->296 297 16f1466-16f1496 293->297 294->293 296->297
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 016F1450
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 3783dc6da29c80d8ba708e961b6790490a18006511c081226eef4ca55e25ed4d
                          • Instruction ID: a44e6710897eca1b7915500d788ae0b03268d73c50b9ab02f53e726edff5277e
                          • Opcode Fuzzy Hash: 3783dc6da29c80d8ba708e961b6790490a18006511c081226eef4ca55e25ed4d
                          • Instruction Fuzzy Hash: E32127B5900349DFDB10DFA9C885BEEBBF5FF49310F10842AE919A7240C7789944CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 301 16f1228-16f1273 303 16f1275-16f1281 301->303 304 16f1283-16f12b3 Wow64SetThreadContext 301->304 303->304 306 16f12bc-16f12ec 304->306 307 16f12b5-16f12bb 304->307 307->306
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 016F12A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 6ddeed4d5a6a3689ebb0fe710cb6740fcb217991ffe183abe80653347f23697d
                          • Instruction ID: 8f82d35a260076be196957cad4c4c46d635142fd859872cfdb1e21746037b519
                          • Opcode Fuzzy Hash: 6ddeed4d5a6a3689ebb0fe710cb6740fcb217991ffe183abe80653347f23697d
                          • Instruction Fuzzy Hash: 5F2137B5D002098FDB10DFAAC485BAEBBF4EF49350F14842ED519A7240CB789985CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 311 16f14b0-16f14df 312 16f14e2-16f1527 311->312 316 16f155b 312->316 317 16f1529-16f153d ReadProcessMemory 312->317 316->312 318 16f155c-16f1576 316->318 319 16f153f-16f1545 317->319 320 16f1546-16f1554 317->320 319->320 320->316
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 016F1530
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: cdcf3b919e31aac887ab4494a1cf9ad89b572094952ec266fa00b899f134c75d
                          • Instruction ID: e9593b41b737690e788ede08f1c04a6a43b537eff96a97ba729b1f45714cfab4
                          • Opcode Fuzzy Hash: cdcf3b919e31aac887ab4494a1cf9ad89b572094952ec266fa00b899f134c75d
                          • Instruction Fuzzy Hash: A82125B1C002499FDB10DFAAC885AEEFBF5FF48310F50842EE519A7250C7789941CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 323 16f12f9-16f137b VirtualAllocEx 327 16f137d-16f1383 323->327 328 16f1384-16f13a9 323->328 327->328
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 016F136E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: dccfc318e96c3478736eedb4ae42d451e241a2dee45d395de3995edb11b5bb89
                          • Instruction ID: 33d4811b465ddfd31135a474a9f2257917a0f2024a32b92a2fe69a240cb58b6e
                          • Opcode Fuzzy Hash: dccfc318e96c3478736eedb4ae42d451e241a2dee45d395de3995edb11b5bb89
                          • Instruction Fuzzy Hash: 1B1126729043499FDB10DFAAC845BEEBFF5FF49320F148419E519A7250C77AA940CBA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 332 16f1300-16f137b VirtualAllocEx 335 16f137d-16f1383 332->335 336 16f1384-16f13a9 332->336 335->336
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 016F136E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 28ec70a3fe5bf0ea49707f7d75abd216551b9b636dc99c006fdf5c01b2f283f0
                          • Instruction ID: 4e179dd152c32c85694849c185efad8797f9b93a140105e225cc563093413844
                          • Opcode Fuzzy Hash: 28ec70a3fe5bf0ea49707f7d75abd216551b9b636dc99c006fdf5c01b2f283f0
                          • Instruction Fuzzy Hash: 961126728002499FDB10DFAAC844AEEBFF5EF49320F108419E519A7250C779A940CBA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 340 16f1178-16f11e7 ResumeThread 343 16f11e9-16f11ef 340->343 344 16f11f0-16f1215 340->344 343->344
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008247938.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_16f0000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 85bdcd9ebfa307ece3332098133b4f6bcc1088fa29036a307672f77eadcb89bf
                          • Instruction ID: 5327a1555ff3f3d464f793911b0b38ec8daa4a3ce096d68b7479c3b9d43d4d81
                          • Opcode Fuzzy Hash: 85bdcd9ebfa307ece3332098133b4f6bcc1088fa29036a307672f77eadcb89bf
                          • Instruction Fuzzy Hash: BB113AB1D002498FDB14DFAAC8457EEFBF5EF89314F20841DD519A7240CB79A545CBA4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 505 169d3b4-169d3c6 506 169d45a-169d461 505->506 507 169d3cc 505->507 508 169d3ce-169d3da 506->508 507->508 509 169d3e0-169d402 508->509 510 169d466-169d46b 508->510 512 169d470-169d485 509->512 513 169d404-169d422 509->513 510->509 517 169d43c-169d444 512->517 516 169d42a-169d43a 513->516 516->517 518 169d492 516->518 519 169d487-169d490 517->519 520 169d446-169d457 517->520 519->520
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008048411.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_169d000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f0245e36db6652f1d813694cb3d36518bfcc05fb4ca1f017b42d7df16b83643
                          • Instruction ID: b767fb108bcc920c13f02a59a8c4d0e1902b3dbdd2a2dc372a7a5b440ce2b2db
                          • Opcode Fuzzy Hash: 4f0245e36db6652f1d813694cb3d36518bfcc05fb4ca1f017b42d7df16b83643
                          • Instruction Fuzzy Hash: 0B21FFB1500200EFDF05DF98D9C0B66BF69FB98724F20C579E9090B256C33AE456CAA2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2008048411.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_169d000_j95Whg3AY1.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                          • Instruction ID: d2aa62ebbc66f867c71642be3a3ce66c53d2053ecfff9e52f5458ed3b3b871cf
                          • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                          • Instruction Fuzzy Hash: DA11DC76404280CFCF06CF54D9C4B56BF72FB88724F24C6A9D9490B656C33AE45ACBA2

                          Execution Graph

                          Execution Coverage:27.6%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:29.1%
                          Total number of Nodes:382
                          Total number of Limit Nodes:8
                          execution_graph 2311 402282 InitializeCriticalSectionAndSpinCount 2312 4022a1 2311->2312 2313 4022a6 CreateMutexA 2311->2313 2314 4022c2 GetLastError 2313->2314 2315 402705 ExitProcess 2313->2315 2314->2315 2316 4022d3 2314->2316 2389 403c5f 2316->2389 2318 4026dc DeleteCriticalSection 2318->2315 2319 4022de 2319->2318 2393 404871 2319->2393 2322 4026d4 2324 4035c3 2 API calls 2322->2324 2324->2318 2329 40236d 2416 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2329->2416 2331 40237c 2417 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2331->2417 2333 40266c 2482 403e03 EnterCriticalSection 2333->2482 2335 40238b 2335->2333 2418 40475f GetModuleHandleA 2335->2418 2336 402685 2495 4035c3 2336->2495 2339 4023ed 2339->2333 2421 401fba GetUserDefaultUILanguage 2339->2421 2341 4035c3 2 API calls 2343 40269d 2341->2343 2345 4035c3 2 API calls 2343->2345 2346 4026a8 2345->2346 2348 4035c3 2 API calls 2346->2348 2347 402441 2347->2312 2350 40246a ExitProcess 2347->2350 2353 402472 2347->2353 2351 4026b3 2348->2351 2349 40475f 2 API calls 2349->2347 2351->2322 2498 4053f8 2351->2498 2354 40249f ExitProcess 2353->2354 2355 4024a7 2353->2355 2356 4024d4 ExitProcess 2355->2356 2357 4024dc 2355->2357 2432 404c2d 2357->2432 2365 4025bf 2512 4052c4 2365->2512 2366 4025ac 2368 403668 11 API calls 2366->2368 2368->2365 2369 4025d0 2370 4052c4 4 API calls 2369->2370 2371 4025de 2370->2371 2372 4052c4 4 API calls 2371->2372 2373 4025ee 2372->2373 2374 4052c4 4 API calls 2373->2374 2375 4025fd 2374->2375 2376 4052c4 4 API calls 2375->2376 2377 40260d 2376->2377 2378 4052c4 4 API calls 2377->2378 2379 40261c 2378->2379 2516 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2379->2516 2381 402626 2382 40262f GetModuleFileNameW 2381->2382 2383 40263f 2381->2383 2382->2383 2384 4052c4 4 API calls 2383->2384 2385 402659 2384->2385 2386 4052c4 4 API calls 2385->2386 2387 402664 2386->2387 2388 4035c3 2 API calls 2387->2388 2388->2333 2390 403c67 2389->2390 2517 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2390->2517 2392 403c72 2392->2319 2394 40475f 2 API calls 2393->2394 2396 40489d 2394->2396 2395 402310 2395->2322 2402 403668 2395->2402 2396->2395 2397 4052c4 4 API calls 2396->2397 2398 4048b3 2397->2398 2399 4052c4 4 API calls 2398->2399 2400 4048be 2399->2400 2401 4052c4 4 API calls 2400->2401 2401->2395 2518 402c95 2402->2518 2405 4048d6 2406 4048eb VirtualAlloc 2405->2406 2409 402351 2405->2409 2407 40490a 2406->2407 2406->2409 2408 40475f 2 API calls 2407->2408 2410 40492c 2408->2410 2409->2322 2415 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2409->2415 2410->2409 2411 40495b GetCurrentProcess IsWow64Process 2410->2411 2413 4052c4 4 API calls 2411->2413 2414 404985 2413->2414 2414->2409 2415->2329 2416->2331 2417->2335 2419 40477d LoadLibraryA 2418->2419 2420 40478a 2418->2420 2419->2420 2420->2339 2422 40202d 2421->2422 2423 403668 11 API calls 2422->2423 2424 402065 2423->2424 2425 403668 11 API calls 2424->2425 2426 402074 GetKeyboardLayoutList 2425->2426 2427 4020cf 2426->2427 2431 40208e 2426->2431 2428 403668 11 API calls 2427->2428 2429 4020db 2428->2429 2429->2347 2429->2349 2430 403668 11 API calls 2430->2431 2431->2427 2431->2430 2433 404c43 2432->2433 2434 4024f5 CreateThread CreateThread WaitForMultipleObjects 2432->2434 2435 40475f 2 API calls 2433->2435 2459 401a6c 2434->2459 2742 401dc9 2434->2742 2758 40522a 2434->2758 2436 404c74 2435->2436 2436->2434 2437 40475f 2 API calls 2436->2437 2438 404c89 2437->2438 2438->2434 2439 404c91 KiUserCallbackDispatcher GetSystemMetrics 2438->2439 2440 404cb6 2439->2440 2441 404cdc GetDC 2440->2441 2441->2434 2442 404cf0 GetCurrentObject 2441->2442 2443 404ea2 ReleaseDC 2442->2443 2444 404d03 GetObjectW 2442->2444 2443->2434 2444->2443 2445 404d1a 2444->2445 2446 403668 11 API calls 2445->2446 2447 404d3a DeleteObject CreateCompatibleDC 2446->2447 2447->2443 2448 404daf CreateDIBSection 2447->2448 2449 404dd0 SelectObject 2448->2449 2450 404e9b DeleteDC 2448->2450 2451 404de0 BitBlt 2449->2451 2452 404e94 DeleteObject 2449->2452 2450->2443 2451->2452 2453 404e05 2451->2453 2452->2450 2546 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2453->2546 2455 404e10 2455->2452 2456 403e03 10 API calls 2455->2456 2457 404e89 2456->2457 2458 4035c3 2 API calls 2457->2458 2458->2452 2460 401a7a 2459->2460 2464 401ab3 2459->2464 2462 401a96 2460->2462 2547 401000 2460->2547 2463 401000 57 API calls 2462->2463 2462->2464 2463->2464 2465 4020e1 2464->2465 2725 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2465->2725 2467 402106 2468 402190 GetCurrentHwProfileA 2467->2468 2469 4021a4 2468->2469 2470 4021ba GetSystemInfo 2468->2470 2471 403668 11 API calls 2469->2471 2472 403668 11 API calls 2470->2472 2473 4021b7 2471->2473 2474 4021dc 2472->2474 2473->2470 2475 4035c3 2 API calls 2474->2475 2476 4021e6 GlobalMemoryStatusEx 2475->2476 2477 403668 11 API calls 2476->2477 2480 402215 2477->2480 2478 402268 EnumDisplayDevicesA 2479 40227b ObtainUserAgentString 2478->2479 2478->2480 2479->2365 2479->2366 2480->2478 2481 403668 11 API calls 2480->2481 2481->2480 2483 403f31 LeaveCriticalSection 2482->2483 2484 403e25 2482->2484 2483->2336 2484->2483 2726 403da9 WideCharToMultiByte 2484->2726 2488 403e79 2733 406d0e 2488->2733 2490 403e83 2491 4035c3 2 API calls 2490->2491 2492 403edc 2491->2492 2493 4035c3 2 API calls 2492->2493 2494 403f2c 2493->2494 2494->2483 2496 402692 2495->2496 2497 4035c7 GetProcessHeap RtlFreeHeap 2495->2497 2496->2341 2497->2496 2499 40475f 2 API calls 2498->2499 2500 40547b 2499->2500 2501 4054fc socket 2500->2501 2502 405483 2500->2502 2501->2502 2503 405520 2501->2503 2502->2351 2504 405540 connect 2503->2504 2505 4055b3 closesocket 2503->2505 2506 4055a6 Sleep 2504->2506 2507 405557 send 2504->2507 2505->2502 2506->2503 2507->2506 2508 405579 send 2507->2508 2508->2506 2509 405595 2508->2509 2510 4035c3 2 API calls 2509->2510 2511 4055a0 2510->2511 2511->2505 2514 4052e7 2512->2514 2515 405313 2512->2515 2514->2515 2741 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2514->2741 2515->2369 2516->2381 2517->2392 2519 402ca5 2518->2519 2529 402cb3 2518->2529 2530 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2519->2530 2521 402d03 2522 402336 2521->2522 2541 405281 2521->2541 2522->2405 2524 4030c3 2525 4035c3 2 API calls 2524->2525 2525->2522 2527 402eb6 WideCharToMultiByte 2527->2529 2528 402f3e WideCharToMultiByte 2528->2529 2529->2521 2529->2527 2529->2528 2531 402a1e 2529->2531 2530->2529 2532 402a36 2531->2532 2533 402c71 2532->2533 2534 402a5d 2532->2534 2536 402a6f __aulldvrm 2532->2536 2535 402c77 WideCharToMultiByte 2533->2535 2533->2536 2537 402a66 2534->2537 2538 402c0a 2534->2538 2535->2536 2536->2529 2537->2536 2540 402bd2 WideCharToMultiByte 2537->2540 2538->2536 2539 402c32 IsDBCSLeadByte 2538->2539 2539->2538 2540->2537 2542 40529c 2541->2542 2543 405292 2541->2543 2542->2524 2545 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2543->2545 2545->2542 2546->2455 2548 40141c 2547->2548 2549 40101e 2547->2549 2548->2462 2549->2548 2584 404108 GetFileAttributesW 2549->2584 2551 401035 2551->2548 2585 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2551->2585 2553 401049 2586 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2553->2586 2555 401052 2561 4013df 2555->2561 2587 40368d 2555->2587 2556 4035c3 2 API calls 2558 401415 2556->2558 2560 4035c3 2 API calls 2558->2560 2560->2548 2561->2556 2562 4013c7 FindNextFileW 2562->2561 2565 401173 2562->2565 2563 40368d 7 API calls 2563->2565 2565->2562 2565->2563 2566 403f43 41 API calls 2565->2566 2572 4016ef EnterCriticalSection 2565->2572 2576 403e03 10 API calls 2565->2576 2577 4035c3 GetProcessHeap RtlFreeHeap 2565->2577 2579 40134d 2565->2579 2583 401000 53 API calls 2565->2583 2590 4044f7 2565->2590 2622 403729 2565->2622 2626 401aef 2565->2626 2634 401d21 2565->2634 2641 401c32 2565->2641 2678 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2565->2678 2566->2565 2571 404145 15 API calls 2571->2579 2652 404eb2 2572->2652 2576->2565 2577->2565 2579->2565 2579->2571 2580 40368d 7 API calls 2579->2580 2581 403f87 43 API calls 2579->2581 2644 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2579->2644 2645 403f43 2579->2645 2580->2579 2581->2579 2583->2565 2584->2551 2585->2553 2586->2555 2679 403111 2587->2679 2687 404108 GetFileAttributesW 2590->2687 2592 404509 2593 404758 2592->2593 2688 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2592->2688 2593->2565 2595 40451f 2596 404750 2595->2596 2598 40368d 7 API calls 2595->2598 2597 4035c3 2 API calls 2596->2597 2597->2593 2599 40453c 2598->2599 2600 40455a EnterCriticalSection 2599->2600 2601 4045c4 LeaveCriticalSection 2600->2601 2602 404626 2601->2602 2603 4045dd 2601->2603 2602->2596 2604 404649 EnterCriticalSection 2602->2604 2603->2602 2605 4045fa 2603->2605 2607 404680 LeaveCriticalSection 2604->2607 2690 404377 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2605->2690 2609 404698 2607->2609 2610 40471c EnterCriticalSection 2607->2610 2689 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2609->2689 2614 404745 LeaveCriticalSection 2610->2614 2611 404603 2613 4035c3 2 API calls 2611->2613 2616 40460b 2613->2616 2614->2596 2615 4046a2 2615->2610 2619 4046bf EnterCriticalSection 2615->2619 2617 4044f7 29 API calls 2616->2617 2618 40461f 2617->2618 2618->2593 2620 404700 LeaveCriticalSection 2619->2620 2620->2610 2621 404714 2620->2621 2621->2610 2623 40373d 2622->2623 2625 403741 2623->2625 2711 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2623->2711 2625->2565 2627 401b07 2626->2627 2629 401b0c 2626->2629 2712 401aba 2627->2712 2632 401b11 2629->2632 2715 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2629->2715 2632->2565 2633 401b40 2633->2632 2716 401adc 2633->2716 2635 40475f 2 API calls 2634->2635 2636 401d5a 2635->2636 2637 401d6a CryptUnprotectData 2636->2637 2639 401d87 2636->2639 2638 401d92 2637->2638 2637->2639 2638->2639 2640 401d99 CryptProtectData 2638->2640 2639->2565 2640->2639 2720 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2641->2720 2643 401c58 2643->2565 2644->2579 2646 4044f7 37 API calls 2645->2646 2647 403f59 2646->2647 2648 403f78 2647->2648 2650 403e03 10 API calls 2647->2650 2649 4035c3 2 API calls 2648->2649 2651 403f81 2649->2651 2650->2648 2651->2579 2653 404f15 2652->2653 2654 404ed4 2652->2654 2662 40170b LeaveCriticalSection 2653->2662 2721 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2653->2721 2656 40368d 7 API calls 2654->2656 2658 404f0b 2656->2658 2657 404f35 2722 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2657->2722 2723 404108 GetFileAttributesW 2658->2723 2661 404f3f 2663 40368d 7 API calls 2661->2663 2662->2565 2664 404f4d FindFirstFileW 2663->2664 2665 40520e 2664->2665 2670 404f6a 2664->2670 2666 4035c3 2 API calls 2665->2666 2667 405215 2666->2667 2668 4035c3 2 API calls 2667->2668 2668->2662 2669 4051f6 FindNextFileW 2669->2665 2669->2670 2670->2669 2671 40500f EnterCriticalSection 2670->2671 2675 404eb2 41 API calls 2670->2675 2676 40368d 7 API calls 2670->2676 2677 403f43 41 API calls 2670->2677 2724 404108 GetFileAttributesW 2670->2724 2673 404eb2 41 API calls 2671->2673 2674 40502a LeaveCriticalSection 2673->2674 2674->2669 2675->2670 2676->2670 2677->2670 2678->2565 2685 40311d 2679->2685 2680 401156 FindFirstFileW 2680->2561 2680->2565 2681 402a1e 3 API calls 2681->2685 2682 40332a IsDBCSLeadByte 2683 403337 MultiByteToWideChar 2682->2683 2682->2685 2683->2685 2684 403395 IsDBCSLeadByte 2684->2685 2685->2680 2685->2681 2685->2682 2685->2684 2686 4033b6 MultiByteToWideChar 2685->2686 2686->2685 2687->2592 2688->2595 2689->2615 2691 4043bc 2690->2691 2692 4044ee 2690->2692 2691->2692 2704 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2691->2704 2692->2602 2692->2611 2694 4043d0 2701 404408 2694->2701 2705 4037f9 2694->2705 2695 4044d2 2697 4035c3 2 API calls 2695->2697 2697->2692 2698 40442a OpenProcess 2699 404440 GetCurrentProcess DuplicateHandle 2698->2699 2698->2701 2700 4044b7 CloseHandle 2699->2700 2699->2701 2700->2701 2701->2695 2701->2698 2701->2700 2702 404487 CloseHandle GetCurrentProcess DuplicateHandle 2701->2702 2703 4044d4 CloseHandle CloseHandle 2701->2703 2702->2700 2702->2701 2703->2695 2704->2694 2706 403803 2705->2706 2707 403810 2706->2707 2708 403819 GetProcessHeap HeapReAlloc 2706->2708 2709 4035c3 2 API calls 2707->2709 2708->2708 2710 403815 2708->2710 2709->2710 2710->2694 2711->2625 2719 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2712->2719 2714 401ac4 2714->2629 2715->2633 2717 4035c3 2 API calls 2716->2717 2718 401ae7 2717->2718 2718->2632 2719->2714 2720->2643 2721->2657 2722->2661 2723->2653 2724->2670 2725->2467 2727 403dd4 2726->2727 2728 403dfd 2726->2728 2736 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2727->2736 2728->2483 2732 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2728->2732 2730 403ddc 2730->2728 2731 403de2 WideCharToMultiByte 2730->2731 2731->2728 2732->2488 2737 406de8 2733->2737 2735 406d19 2735->2490 2736->2730 2740 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2737->2740 2739 406df0 2739->2735 2740->2739 2741->2514 2743 401de1 2742->2743 2744 401fb2 2742->2744 2743->2744 2745 40368d 7 API calls 2743->2745 2746 401e02 FindFirstFileW 2745->2746 2746->2744 2747 401e21 2746->2747 2766 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2747->2766 2749 401f8e FindNextFileW 2750 401fa9 2749->2750 2756 401e2b 2749->2756 2751 4035c3 2 API calls 2750->2751 2751->2744 2753 4035c3 2 API calls 2753->2756 2754 401dc9 41 API calls 2754->2756 2755 40368d 7 API calls 2755->2756 2756->2749 2756->2753 2756->2754 2756->2755 2757 403f43 41 API calls 2756->2757 2767 404118 2756->2767 2757->2756 2759 405238 2758->2759 2760 405279 2758->2760 2777 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2759->2777 2762 404eb2 45 API calls 2763 405242 2762->2763 2763->2762 2764 405272 2763->2764 2765 4035c3 2 API calls 2764->2765 2765->2760 2766->2756 2769 404120 2767->2769 2768 404132 2768->2756 2769->2768 2772 4036e4 2769->2772 2773 4036f8 2772->2773 2775 4036fc 2773->2775 2776 403595 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 2773->2776 2775->2756 2776->2775 2777->2763

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
                            • Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E
                          • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00404C9E
                          • GetSystemMetrics.USER32(0000004D), ref: 00404CA5
                          • GetDC.USER32(00000000), ref: 00404CE0
                          • GetCurrentObject.GDI32(00000000,00000007), ref: 00404CF3
                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00404D0C
                          • DeleteObject.GDI32(00000000), ref: 00404D3E
                          • CreateCompatibleDC.GDI32(00000000), ref: 00404D9F
                          • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00404DC0
                          • SelectObject.GDI32(00000000,00000000), ref: 00404DD2
                          • BitBlt.GDI32(00000000,00000000,00000000,?,004024F5,00000000,?,?,00CC0020), ref: 00404DF7
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                            • Part of subcall function 00403E03: EnterCriticalSection.KERNEL32(004084D4,?,0000011C), ref: 00403E15
                            • Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
                            • Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1
                          • DeleteObject.GDI32(00000000), ref: 00404E95
                          • DeleteDC.GDI32(00000000), ref: 00404E9C
                          • ReleaseDC.USER32(00000000,00000000), ref: 00404EA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                          • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                          • API String ID: 1387450592-1028866296
                          • Opcode ID: 9c41939b8386a9ff5e5cca6e165f57c1168fd9011b41827653576b46308b750e
                          • Instruction ID: 6b3ee7ab4da137d1a309b5a9f787d899f0e5564c39ac921fb92ff6ff8e554c30
                          • Opcode Fuzzy Hash: 9c41939b8386a9ff5e5cca6e165f57c1168fd9011b41827653576b46308b750e
                          • Instruction Fuzzy Hash: 4B718075D00208ABDB20DFA5DD45BEEBB79AF44700F10446AE605B72D1DB785A04CBA9

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 156 401000-401018 157 40141c-401422 156->157 158 40101e-401028 156->158 158->157 159 40102e-401037 call 404108 158->159 159->157 162 40103d-401059 call 403595 * 2 159->162 167 40140e-401417 call 4035c3 * 2 162->167 168 40105f-401061 162->168 167->157 168->167 169 401067-40116d call 40368d FindFirstFileW 168->169 175 401173-401192 call 4036c8 * 2 169->175 176 4013df-40140b call 403603 * 3 169->176 186 4013c4 175->186 187 401198-4011b7 call 40368d 175->187 176->167 188 4013c7-4013d9 FindNextFileW 186->188 192 4017f6-4017fd 187->192 193 4011bd-4011cf call 4037b8 187->193 188->175 188->176 192->186 195 401803-401821 call 4036c8 call 403bed 192->195 193->192 198 4011d5-4011e7 call 4037b8 193->198 205 401823-401870 call 403595 call 40368d call 403f43 195->205 206 401878-40187d 195->206 198->192 204 4011ed-40120f call 4036c8 call 403bed 198->204 224 401215-40121b 204->224 225 4017ab-4017d6 call 404145 204->225 205->206 208 401883-401888 206->208 209 401a28-401a5f call 40368d call 403f43 206->209 208->209 214 40188e-401893 208->214 226 401a64-401a67 209->226 214->209 218 401899-40189e 214->218 218->209 222 4018a4-4018a9 218->222 222->209 227 4018af-4018b4 222->227 224->225 230 401221-401227 224->230 235 4017dc-4017e7 call 4037b8 225->235 236 4013bd-4013bf call 4035c3 225->236 226->188 227->209 231 4018ba-4018bf 227->231 230->225 233 40122d-401233 230->233 231->209 234 4018c5-4018ca 231->234 233->225 237 401239-40123f 233->237 234->209 238 4018d0-4018d5 234->238 235->236 248 4017ed-4017ef 235->248 236->186 237->225 241 401245-40124b 237->241 238->209 242 4018db-4018e0 238->242 241->225 245 401251-401257 241->245 242->209 243 4018e6-4018eb 242->243 243->186 247 4018f1-401905 call 4044f7 243->247 245->225 246 40125d-401263 245->246 246->225 249 401269-40126f 246->249 254 401538-401542 call 4035c3 247->254 255 40190b-401910 247->255 248->192 249->225 251 401275-40127b 249->251 251->225 253 401281-401287 251->253 253->225 256 40128d-401293 253->256 254->186 255->254 257 401916-40192e call 40377e 255->257 256->225 259 401299-40129f 256->259 257->254 265 401934-40194c call 40377e 257->265 259->225 262 4012a5-4012ab 259->262 262->225 264 4012b1-4012b7 262->264 264->225 266 4012bd-4012c3 264->266 265->254 271 401952-401968 call 403729 265->271 266->225 268 4012c9-4012cf 266->268 268->225 270 4012d5-4012db 268->270 270->225 272 4012e1-4012e7 270->272 271->254 277 40196e-40197a call 4036b2 271->277 272->225 274 4012ed-4012f3 272->274 274->225 276 4012f9-4012ff 274->276 276->225 278 401305-40130b 276->278 283 401980-401993 call 401aef 277->283 284 401531-401533 call 4035c3 277->284 278->225 281 401311-401317 278->281 281->225 282 40131d-401323 281->282 282->225 285 401329-40132f 282->285 283->284 291 401999-40199e 283->291 284->254 285->225 288 401335-40133b 285->288 288->225 290 401341-401347 288->290 292 401423-401429 290->292 293 40134d-401382 call 404145 290->293 291->284 294 4019a4-4019b6 call 401d21 291->294 297 401719-40174e call 404145 292->297 298 40142f-401435 292->298 293->236 304 401384-40138f call 4037b8 293->304 305 4019b8-401a01 call 401c32 call 40368d call 403e03 294->305 306 401a1b-401a23 call 4035c3 294->306 297->254 313 401754-40175f call 4037b8 297->313 298->297 302 40143b-401441 298->302 302->297 303 401447-40144d 302->303 308 401453-401459 303->308 309 4016ef-401714 EnterCriticalSection call 404eb2 LeaveCriticalSection 303->309 304->236 323 401391-4013ba call 403f87 304->323 343 401a06-401a18 call 4035c3 * 2 305->343 306->284 308->309 314 40145f-401465 308->314 309->186 313->254 331 401765-4017a6 call 403f87 313->331 320 401467-401498 call 403f87 314->320 321 40149d-4014a3 314->321 320->186 327 401547-40154d 321->327 328 4014a9-4014cb call 404145 321->328 323->236 334 4015be-4015c4 327->334 335 40154f-401571 call 404145 327->335 328->254 346 4014cd-4014d8 call 4037b8 328->346 331->254 339 401603-401609 334->339 340 4015c6-4015e8 call 404145 334->340 335->236 354 401577-401582 call 4037b8 335->354 348 4016e8 339->348 349 40160f-401615 339->349 340->236 357 4015ee-4015f9 call 4037b8 340->357 343->306 346->254 366 4014da-40152b call 403595 call 40368d call 403f43 346->366 348->309 349->348 355 40161b-401621 349->355 354->236 368 401588 354->368 360 401623-40162a 355->360 361 401636-40163c 355->361 357->236 376 4015ff-401601 357->376 360->361 363 401670-401698 call 404145 361->363 364 40163e-401644 361->364 363->236 381 40169e-4016a9 call 4037b8 363->381 364->363 369 401646-40164c 364->369 366->284 373 40158a-4015b9 call 403f87 368->373 369->363 374 40164e-401654 369->374 373->236 374->363 380 401656-40165c 374->380 376->373 380->363 384 40165e-401665 call 401000 380->384 381->236 391 4016af-4016e3 call 403f87 381->391 390 40166a-40166b 384->390 390->186 391->236
                          APIs
                          • FindNextFileW.KERNELBASE(?,?), ref: 004013D1
                            • Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(0118FB48,00401035,0118FB48,?), ref: 00404109
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • FindFirstFileW.KERNELBASE(00000000,?,0118FB48,?), ref: 00401161
                            • Part of subcall function 00403F87: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403FE8
                            • Part of subcall function 00403F87: FindNextFileW.KERNEL32(0040179D,?), ref: 00404089
                          • EnterCriticalSection.KERNEL32(004084D4), ref: 004016F5
                          • LeaveCriticalSection.KERNEL32(004084D4), ref: 0040170E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                          • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$7a?=$Discord/$Telegram
                          • API String ID: 1893179121-60960798
                          • Opcode ID: ae2bfb38ba25c0f0b71d4385b243cdeab87b9b21f44fad0c552e87ed09ec3be0
                          • Instruction ID: e0fe4e299a14adff3431ec18ef39797f5155a140b4338a3cd7c1f3b0b96d06eb
                          • Opcode Fuzzy Hash: ae2bfb38ba25c0f0b71d4385b243cdeab87b9b21f44fad0c552e87ed09ec3be0
                          • Instruction Fuzzy Hash: A0323A71E102146ADB249BA58C91BFE73B89F80304F14417FE845B72E1EB7C8E858B9D

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 468 4020e1-402132 call 403595 471 402190-4021a2 GetCurrentHwProfileA 468->471 472 402134-402153 468->472 473 4021a4-4021b7 call 403668 471->473 474 4021ba-40222b GetSystemInfo call 403668 call 4035c3 GlobalMemoryStatusEx call 403668 471->474 475 402155-402159 472->475 476 40215b-402161 472->476 473->474 492 402268-402279 EnumDisplayDevicesA 474->492 479 40217b-402186 call 4035d8 475->479 480 402163-40216a 476->480 481 40216c-402172 476->481 483 402189-40218e 479->483 480->479 482 402174-402178 481->482 481->483 482->479 483->471 483->472 493 40227b-402281 492->493 494 40222d-402236 492->494 495 402257-402267 494->495 496 402238-402254 call 403668 494->496 495->492 496->495
                          APIs
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • GetCurrentHwProfileA.ADVAPI32(?), ref: 00402198
                          • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 004021BF
                          • GlobalMemoryStatusEx.KERNELBASE(?), ref: 004021F3
                          • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00402275
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                          • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                          • API String ID: 330852582-565344305
                          • Opcode ID: 1289e8cf0d5fbe5f3f0ef4059f282c48e11b380c65581eb552a4a88b93ed5c2e
                          • Instruction ID: 22e8c097fdb53a750db3d38699cd98a3431052edcfded2005e7f0d2a9ec9707d
                          • Opcode Fuzzy Hash: 1289e8cf0d5fbe5f3f0ef4059f282c48e11b380c65581eb552a4a88b93ed5c2e
                          • Instruction Fuzzy Hash: 6141A6719083019BD720DF24CD85FABBBE8EB84714F10493EF945AB2C1E774994587AA

                          Control-flow Graph

                          APIs
                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,004084D4,?), ref: 00404F58
                          • EnterCriticalSection.KERNEL32(004084D4), ref: 00405014
                            • Part of subcall function 00404EB2: LeaveCriticalSection.KERNEL32(004084D4), ref: 00405031
                          • FindNextFileW.KERNELBASE(?,?), ref: 00405200
                            • Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(0118FB48,00401035,0118FB48,?), ref: 00404109
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                          • String ID: %s\%s$%s\*$Telegram
                          • API String ID: 648860119-4994844
                          • Opcode ID: d84d8187fe1ade631e357449a07b88c685cf14ca7df123eb18c2c8c5d20aa8b4
                          • Instruction ID: ecd5ca78d3e23e3f5ec3a68d4d3fe809ace172ce08446f2cd26366b6c0f1c70a
                          • Opcode Fuzzy Hash: d84d8187fe1ade631e357449a07b88c685cf14ca7df123eb18c2c8c5d20aa8b4
                          • Instruction Fuzzy Hash: D9A18021E14308A9EF10DBA0AD06BBE7775EF44710F20546FE904BB2E1EBB50E85875E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 629 401dc9-401ddb 630 401de1-401deb 629->630 631 401fb2-401fb7 629->631 630->631 632 401df1-401e1b call 40368d FindFirstFileW 630->632 632->631 635 401e21-401e65 call 403595 call 4036c8 632->635 640 401e6a-401e8f call 4036c8 * 2 635->640 645 401e95-401eae call 40368d 640->645 646 401f8e-401f9c FindNextFileW 640->646 652 401eb0-401ec0 call 4037b8 645->652 653 401ee1-401ee6 645->653 648 401fa9-401fad call 4035c3 646->648 649 401f9e-401fa4 646->649 648->631 649->640 652->653 659 401ec2-401ed2 call 4037b8 652->659 654 401eec-401ef6 653->654 655 401f7f-401f8a 653->655 654->655 658 401efc-401f09 call 404118 654->658 655->646 664 401f78-401f7a call 4035c3 658->664 665 401f0b-401f22 call 4036c8 call 403bed 658->665 659->653 666 401ed4-401ed7 call 401dc9 659->666 664->655 674 401f24-401f29 665->674 675 401f39-401f69 call 40368d call 403f43 665->675 671 401edc 666->671 671->655 674->675 676 401f2b-401f30 674->676 681 401f6e-401f71 675->681 676->675 678 401f32-401f37 676->678 678->664 678->675 681->664
                          APIs
                          • FindFirstFileW.KERNELBASE(?), ref: 00401E10
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • FindNextFileW.KERNELBASE(00000000,?), ref: 00401F94
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                          • String ID: %s%s$%s\%s$%s\*
                          • API String ID: 3555643018-2064654797
                          • Opcode ID: 5cebb7284f378f55fcd4df65f13594aa010d6026b77e4466925d64efd1a65d52
                          • Instruction ID: 14e95c991f87aca2b944788a29030c3de2d12e3058c1dcaec3f91741412fe5a3
                          • Opcode Fuzzy Hash: 5cebb7284f378f55fcd4df65f13594aa010d6026b77e4466925d64efd1a65d52
                          • Instruction Fuzzy Hash: C641B0706182025BC714EF24D955A2F77E8AF84704F10493FF885A72F2EB39EA44879E

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 682 401d21-401d5c call 40475f 685 401dbc-401dc8 682->685 686 401d5e-401d85 call 403603 CryptUnprotectData 682->686 689 401d92-401d97 686->689 690 401d87-401d90 686->690 689->685 691 401d99-401db6 CryptProtectData 689->691 690->685 691->685
                          APIs
                            • Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
                            • Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401D80
                          • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00401DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                          • String ID: CRYPT32.dll$Poverty is the parent of crime.
                          • API String ID: 3642467563-1885057629
                          • Opcode ID: 622e6ff0f88186e0edc30eb6f211501fb37249f7525f79a651ced971cf4a73fd
                          • Instruction ID: c7f84ecd61725d2c0d2cc539ea739b2fab333b7ee9f2c38f0174a54d3eab5c97
                          • Opcode Fuzzy Hash: 622e6ff0f88186e0edc30eb6f211501fb37249f7525f79a651ced971cf4a73fd
                          • Instruction Fuzzy Hash: 9911F7B5D0020DABDB10DF95C8819EFBBBCEF48314F10456AE945B3280E774AE09CAA4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 716 4035c3-4035c5 717 4035d7 716->717 718 4035c7-4035d1 GetProcessHeap RtlFreeHeap 716->718 718->717
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
                          • RtlFreeHeap.NTDLL(00000000), ref: 004035D1
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$FreeProcess
                          • String ID:
                          • API String ID: 3859560861-0
                          • Opcode ID: a5c4a5c9563baa38c9ba5d526c864f3f6d83196204a18c55b87fe91dca070a4b
                          • Instruction ID: 873122bf131184cd6aa06baef865d0714c6afb91f4c12db888e56dda872d8f6a
                          • Opcode Fuzzy Hash: a5c4a5c9563baa38c9ba5d526c864f3f6d83196204a18c55b87fe91dca070a4b
                          • Instruction Fuzzy Hash: B6B092B0A491006AEE182BA09E0DB3B3A18AB04303F0002A8B302B14A0CA786500862A

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 402282-40229f InitializeCriticalSectionAndSpinCount 1 4022a1 0->1 2 4022a6-4022bc CreateMutexA 0->2 3 40270d 1->3 4 4022c2-4022cd GetLastError 2->4 5 402705-402707 ExitProcess 2->5 4->5 6 4022d3-4022e2 call 403c5f 4->6 9 4022e8-402312 call 403603 call 404871 6->9 10 4026dc-4026fc DeleteCriticalSection 6->10 15 4026d4-4026d7 call 4035c3 9->15 16 402318-40235d call 403668 call 4048d6 9->16 10->5 15->10 16->15 22 402363-402397 call 403595 * 3 16->22 29 40266c-4026bb call 403e03 call 4035c3 * 4 call 403c88 22->29 30 40239d-4023a4 22->30 60 4026be-4026c4 call 4053f8 29->60 30->29 31 4023aa-4023b1 30->31 31->29 33 4023b7-4023f3 call 40475f 31->33 33->29 39 4023f9-40240e call 401fba 33->39 46 402410-402447 call 40475f 39->46 47 40244e-402468 39->47 46->47 56 402449 46->56 53 402472-40249d call 4036c8 47->53 54 40246a-40246c ExitProcess 47->54 64 4024a7-4024d2 call 4036c8 53->64 65 40249f-4024a1 ExitProcess 53->65 56->3 63 4026c9-4026d0 60->63 63->15 66 4026d2 63->66 70 4024d4-4024d6 ExitProcess 64->70 71 4024dc-40254a call 4036c8 call 404c2d CreateThread * 2 WaitForMultipleObjects call 401a6c call 4020e1 64->71 66->60 80 402554-40255b 71->80 81 40255d-402566 80->81 82 40258e-4025aa ObtainUserAgentString 80->82 83 402568-402582 81->83 84 40258c 81->84 85 4025c2-40262d call 4052c4 * 6 call 403595 82->85 86 4025ac-4025bf call 403668 82->86 83->84 84->80 104 40263f-402667 call 4036c8 call 4052c4 * 2 call 4035c3 85->104 105 40262f-402639 GetModuleFileNameW 85->105 86->85 104->29 105->104
                          APIs
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(004084D4,00000DA3), ref: 00402297
                          • CreateMutexA.KERNELBASE(00000000,00000000,0060cbb5-1dbd-468c-b2ba-03be756aa1c1), ref: 004022AF
                          • GetLastError.KERNEL32 ref: 004022C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                          • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$0060cbb5-1dbd-468c-b2ba-03be756aa1c1$@$cb_by_phoenix.v1.0$kernel32$shell32
                          • API String ID: 2005177960-3444067512
                          • Opcode ID: 5ae575048fcc4c035a58db82ac732a12716378483aa765e6d852ec2347ddc4b8
                          • Instruction ID: db5b455704c763b654c06a6b3c78ab43ebdd973590fbbde67410529c29875780
                          • Opcode Fuzzy Hash: 5ae575048fcc4c035a58db82ac732a12716378483aa765e6d852ec2347ddc4b8
                          • Instruction Fuzzy Hash: 36C11630904245AEEB10EFA0DE4ABAE7F75AF14705F00447EE141BA2E2DFB91A44CB5D

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(0118FB48,00401035,0118FB48,?), ref: 00404109
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • EnterCriticalSection.KERNEL32(004084D4), ref: 00404580
                          • LeaveCriticalSection.KERNEL32(004084D4), ref: 004045CC
                          • EnterCriticalSection.KERNEL32(004084D4), ref: 0040464F
                          • LeaveCriticalSection.KERNEL32(004084D4), ref: 00404688
                          • EnterCriticalSection.KERNEL32(004084D4), ref: 004046C5
                          • LeaveCriticalSection.KERNEL32(004084D4), ref: 00404708
                          • EnterCriticalSection.KERNEL32(004084D4), ref: 00404721
                          • LeaveCriticalSection.KERNEL32(004084D4), ref: 0040474A
                            • Part of subcall function 00404377: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,004045FF), ref: 00404390
                            • Part of subcall function 00404377: GetProcAddress.KERNEL32(00000000), ref: 00404399
                            • Part of subcall function 00404377: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,004045FF), ref: 004043AA
                            • Part of subcall function 00404377: GetProcAddress.KERNEL32(00000000), ref: 004043AD
                            • Part of subcall function 00404377: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,004045FF), ref: 0040442F
                            • Part of subcall function 00404377: GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000002,?,?,?,?,004045FF), ref: 0040444B
                            • Part of subcall function 00404377: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 0040445A
                            • Part of subcall function 00404377: CloseHandle.KERNEL32(004045FF,?,?,?,?,004045FF), ref: 0040448A
                            • Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
                            • Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                          • String ID: @$\??\%s$\Network\Cookies
                          • API String ID: 330363434-2791195959
                          • Opcode ID: 3aceadb322b04b0cd88ffec1cbc000090e3a08d248677b6e52905a850177b162
                          • Instruction ID: 30b89a0c7dd792c6c55c89bb752360b8731b4be3a9f183659006c232308b4c97
                          • Opcode Fuzzy Hash: 3aceadb322b04b0cd88ffec1cbc000090e3a08d248677b6e52905a850177b162
                          • Instruction Fuzzy Hash: 0C719F70940209BFDB04DF90CD4ABAD7BB5FB44305F10803AFA41BA2E1EBB95A45CB59

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 442 4053f8-405481 call 40475f 445 405483-405485 442->445 446 40548a-4054e6 442->446 447 4055cd-4055d0 445->447 449 4055ca 446->449 450 4054ec-40551a call 4053ec socket 446->450 449->447 453 4055c0-4055c3 450->453 454 405520-405537 call 40535a call 403603 450->454 453->449 459 405538-40553e 454->459 460 405540-405555 connect 459->460 461 4055b3-4055bc closesocket 459->461 462 4055a6-4055b1 Sleep 460->462 463 405557-405577 send 460->463 461->453 462->459 463->462 464 405579-405593 send 463->464 464->462 465 405595-4055a4 call 4035c3 464->465 465->461
                          APIs
                            • Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
                            • Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E
                          • socket.WS2_32(?,00000001,00000000), ref: 0040550F
                          • connect.WS2_32(000000FF,?,00000010), ref: 0040554E
                          • send.WS2_32(000000FF,00000000,00000000), ref: 00405570
                          • send.WS2_32(000000FF,000000FF,106,00000000), ref: 0040558C
                          • closesocket.WS2_32(000000FF), ref: 004055BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: send$HandleLibraryLoadModuleclosesocketconnectsocket
                          • String ID: 106$185.244.212.106$ws2_32.dll
                          • API String ID: 2279181061-2093737415
                          • Opcode ID: a73edc028289e007b58240179607b5c7043d58571fe9e478d17d5c3581820d74
                          • Instruction ID: 1ba8255f1e8dd8081fefad2875cd7e7399d758cce23e8b083b3bca88080a13bc
                          • Opcode Fuzzy Hash: a73edc028289e007b58240179607b5c7043d58571fe9e478d17d5c3581820d74
                          • Instruction Fuzzy Hash: C851C530C44288EDEF018BE4D8097EEBFB99F15314F14459AE660BE2D1C7B9474ACB65

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 564 4048d6-4048e5 565 404c1b 564->565 566 4048eb-404904 VirtualAlloc 564->566 567 404c21-404c24 565->567 566->565 568 40490a-40492e call 40475f 566->568 569 404c27-404c2c 567->569 572 404934-404949 call 4035d8 568->572 573 404c17-404c19 568->573 576 40494b-404952 572->576 573->569 577 404954-404959 576->577 578 40495d-404960 576->578 577->576 579 40495b 577->579 580 404964-40498b GetCurrentProcess IsWow64Process call 4052c4 578->580 579->580 583 404991-404996 580->583 584 404a1b-404a1e 580->584 587 4049b7-4049bc 583->587 588 404998-4049a8 583->588 585 404a20-404a23 584->585 586 404a6b-404a6e 584->586 589 404a43-404a47 585->589 590 404a25-404a41 585->590 592 404a74-404a79 586->592 593 404b19-404b1f 586->593 594 4049fc-4049ff 587->594 595 4049be-4049c3 587->595 591 4049aa-4049b2 588->591 589->565 601 404a4d-404a69 589->601 600 404abd-404aca 590->600 591->600 602 404a9b-404a9d 592->602 603 404a7b-404a99 592->603 598 404b25-404b2b 593->598 599 404bba-404bbd 593->599 596 404a01-404a04 594->596 597 404a0a-404a19 594->597 595->588 604 4049c5-4049c7 595->604 596->565 596->597 597->591 605 404b4b-404b51 598->605 606 404b2d-404b46 598->606 599->565 607 404bbf-404be0 599->607 600->567 601->600 608 404acf-404ad2 602->608 609 404a9f-404ab8 602->609 603->600 604->588 610 4049c9-4049cc 604->610 611 404b71-404b77 605->611 612 404b53-404b6c 605->612 606->567 613 404c02 607->613 614 404be2-404be8 607->614 617 404af2-404af5 608->617 618 404ad4-404aed 608->618 609->600 615 4049e2-4049e5 610->615 616 4049ce-4049e0 610->616 621 404b97-404b9d 611->621 622 404b79-404b92 611->622 612->567 620 404c07-404c0e 613->620 614->613 623 404bea-404bf0 614->623 615->565 624 4049eb-4049fa 615->624 616->591 617->565 619 404afb-404b14 617->619 618->567 619->567 620->567 621->607 625 404b9f-404bb8 621->625 622->567 623->613 626 404bf2-404bf8 623->626 624->591 625->567 626->613 627 404bfa-404c00 626->627 627->613 628 404c10-404c15 627->628 628->620
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,00402351), ref: 004048F7
                            • Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
                            • Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E
                          • GetCurrentProcess.KERNEL32(Q#@), ref: 0040496B
                          • IsWow64Process.KERNEL32(00000000), ref: 00404972
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                          • String ID: Q#@$l$ntdl$ntdllQ#@
                          • API String ID: 1207166019-1218684799
                          • Opcode ID: ebe54b5adaa1454df0bc47721d2e3ec9d3f0b6f4b007c1f342d762859cf1769e
                          • Instruction ID: 3ee230e69bd7094b3339c115938649c60d03c5872765df0b6732839f5e82a11c
                          • Opcode Fuzzy Hash: ebe54b5adaa1454df0bc47721d2e3ec9d3f0b6f4b007c1f342d762859cf1769e
                          • Instruction Fuzzy Hash: C881E5B061820196EB649B50EF5577A33A8FB91710F20053FE345BB3E1EBB88D80874E

                          Control-flow Graph

                          APIs
                          • EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                          • GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                          • RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                          • LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                          • String ID:
                          • API String ID: 1367039788-0
                          • Opcode ID: d8cb59fa451f531bb7d9703be9d6d3f1f0789b70689b423d9663a2cdfd0a23a5
                          • Instruction ID: 3223c967265719e8531dc247f72f9ba3551b462deb81e419d276c47ad9b9309f
                          • Opcode Fuzzy Hash: d8cb59fa451f531bb7d9703be9d6d3f1f0789b70689b423d9663a2cdfd0a23a5
                          • Instruction Fuzzy Hash: 81D0A733E0812067CB5027F9BE0C99BBF6CEF86661705027AF645E3160CAB85C0587AA

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 693 40475f-40477b GetModuleHandleA 694 404791-404799 693->694 695 40477d-404788 LoadLibraryA 693->695 697 404868 694->697 698 40479f-4047aa 694->698 695->694 696 40478a-40478c 695->696 699 40486b-404870 696->699 697->699 698->697 700 4047b0-4047b9 698->700 700->697 701 4047bf-4047c4 700->701 701->697 702 4047ca-4047ce 701->702 702->697 703 4047d4-4047f9 702->703 704 404867 703->704 705 4047fb-404806 703->705 704->697 706 404808-404812 705->706 707 404814-40482e call 4036b2 call 403bed 706->707 708 404857-404865 706->708 713 404830-404838 707->713 714 40483c-404854 707->714 708->704 708->705 713->706 715 40483a 713->715 714->708 715->708
                          APIs
                          • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
                          • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: HandleLibraryLoadModule
                          • String ID: ntdl
                          • API String ID: 4133054770-3973061744
                          • Opcode ID: 153b30b252ebdc061fc8619bae493407424138c2e36891cb89667ed67eb505d5
                          • Instruction ID: 11ff4d8a77b90bf3d421a1100ca7fc1e5220f65cc3b3dee9f6ee43e9c25cea99
                          • Opcode Fuzzy Hash: 153b30b252ebdc061fc8619bae493407424138c2e36891cb89667ed67eb505d5
                          • Instruction Fuzzy Hash: B131127AE00215DBCB54EFA9C480ABEB7B0FF89704F04466AC551B3381C738A951CBA4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 732 404108-404117 GetFileAttributesW
                          APIs
                          • GetFileAttributesW.KERNELBASE(0118FB48,00401035,0118FB48,?), ref: 00404109
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: d097877ed9740e91f650fee32fe24c2afa502c42455f07a4a2dfcf8c61e2aed8
                          • Instruction ID: c139d24a98a97a360684cfbb393a546f3f92256ca7c1166e296c0db0bb017a51
                          • Opcode Fuzzy Hash: d097877ed9740e91f650fee32fe24c2afa502c42455f07a4a2dfcf8c61e2aed8
                          • Instruction Fuzzy Hash: 1DA022380302008BCA2C03300FAA00E30000E0A2F03220BACB033F80E0EA38C2800002
                          APIs
                            • Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(0118FB48,00401035,0118FB48,?), ref: 00404109
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403FE8
                          • FindNextFileW.KERNEL32(0040179D,?), ref: 00404089
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                          • String ID: %s%s$%s\%s$%s\*
                          • API String ID: 674214967-2064654797
                          • Opcode ID: 851fe2d0db6313b3b97ce49e1a9b884d2538fd0dfee7c13a5dcc67b2ec672ff6
                          • Instruction ID: 3b86eeb09e9c0eadff58ad7c69213eb5ca1285151f1c464e5ebf84cdc8497cf1
                          • Opcode Fuzzy Hash: 851fe2d0db6313b3b97ce49e1a9b884d2538fd0dfee7c13a5dcc67b2ec672ff6
                          • Instruction Fuzzy Hash: 2831F3B1E0021967DB21AF618C45ABE7BA99F80304F0441BEFE05B73D1EB3D8F458699
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00404198
                          • FindNextFileW.KERNEL32(000000FF,?), ref: 004041E4
                            • Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
                            • Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFindHeap$FirstFreeNextProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 1689202581-2848263008
                          • Opcode ID: 03ec7cdd6b1c53106126d1c61fe10d4903e8003fb5869c5929cfc5ffc06257b0
                          • Instruction ID: 0ae009433c7d8e74f2399d383574e25c26017cf842a18982b61cce91de727895
                          • Opcode Fuzzy Hash: 03ec7cdd6b1c53106126d1c61fe10d4903e8003fb5869c5929cfc5ffc06257b0
                          • Instruction Fuzzy Hash: C931A8B0B00214ABCB20AF65CC8566E7BADEF85745F1044BEB905A73C1DB7C9E418B99
                          APIs
                          • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,004045FF), ref: 00404390
                          • GetProcAddress.KERNEL32(00000000), ref: 00404399
                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,004045FF), ref: 004043AA
                          • GetProcAddress.KERNEL32(00000000), ref: 004043AD
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,004045FF), ref: 0040442F
                          • GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000002,?,?,?,?,004045FF), ref: 0040444B
                          • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 0040445A
                          • CloseHandle.KERNEL32(004045FF,?,?,?,?,004045FF), ref: 0040448A
                          • GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000001,?,?,?,?,004045FF), ref: 00404498
                          • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 004044A7
                          • CloseHandle.KERNEL32(?,?,?,?,?,004045FF), ref: 004044BA
                          • CloseHandle.KERNEL32(000000FF), ref: 004044DD
                          • CloseHandle.KERNEL32(?), ref: 004044E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                          • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                          • API String ID: 3110323036-2044536123
                          • Opcode ID: b5df68a6bf919bf50a48ac763dfae3735d449fe75d6ecaf60c1b57aeb643f3aa
                          • Instruction ID: 6b6220df04feaa08bf7b4da56c654ad1a859742ad58229fcdab27ba0eb323707
                          • Opcode Fuzzy Hash: b5df68a6bf919bf50a48ac763dfae3735d449fe75d6ecaf60c1b57aeb643f3aa
                          • Instruction Fuzzy Hash: 884172B1E00119ABDB109BE68D44AAFBBB9EF84314F144176F604F22D0DB78DE41CBA5
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                          • API String ID: 1302938615-1267642376
                          • Opcode ID: 74a9ea239097ada3d1414e157643d0f430ec2b0ca7e571adabed524bf4d5b292
                          • Instruction ID: bcdd270a88cad76f636a2a04ffa2895c1f0e3bc7806eb067e009ec13a134c41f
                          • Opcode Fuzzy Hash: 74a9ea239097ada3d1414e157643d0f430ec2b0ca7e571adabed524bf4d5b292
                          • Instruction Fuzzy Hash: 5691A0706087028FDB25CF24C58862BB7E5EF85344F24897FE49AA77D1D7B4A881CB49
                          APIs
                          • GetUserDefaultUILanguage.KERNEL32 ref: 0040201D
                          • GetKeyboardLayoutList.USER32(00000032,?), ref: 0040207F
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: DefaultKeyboardLanguageLayoutListUser
                          • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                          • API String ID: 167087913-619012376
                          • Opcode ID: 098336f7847c56de198dceea2ad9df411a430e70487c194ec4b5a45776de32d6
                          • Instruction ID: 10b5000f3d20341b48b4ae383d5168f65d0d8f996377bdde78befb18ad8f4928
                          • Opcode Fuzzy Hash: 098336f7847c56de198dceea2ad9df411a430e70487c194ec4b5a45776de32d6
                          • Instruction Fuzzy Hash: 0931BE60D08298A9DB009FE494067BDBB70EF14306F1054ABF648F72C2D27E4B49D76E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: x
                          • API String ID: 0-2363233923
                          • Opcode ID: cc77272222d09f9b3e8e7dc35d4396ed1e50a5a1df7a949ef9c02a18000c61cf
                          • Instruction ID: cdbb1d4b41a264391f31279463ee9e8db51f7a06bf36a1bae859705254ac4300
                          • Opcode Fuzzy Hash: cc77272222d09f9b3e8e7dc35d4396ed1e50a5a1df7a949ef9c02a18000c61cf
                          • Instruction Fuzzy Hash: 1302A174D00219EFCB45CF98C985AAEBBF4FB09305F10846AE826EB390D734AA41CF55
                          APIs
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00402ECA
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                          • String ID: 6#@
                          • API String ID: 1990697408-399668929
                          • Opcode ID: 1f26a5c5fc2634c2030f9b83c1c8166a34ad48809439acca6c6bd24674cc38fe
                          • Instruction ID: 04ec494e2720618fda0ea9b48e18905337fba48f3a471985427a56106dfb7a8a
                          • Opcode Fuzzy Hash: 1f26a5c5fc2634c2030f9b83c1c8166a34ad48809439acca6c6bd24674cc38fe
                          • Instruction Fuzzy Hash: 9202AF70A04249EFCB41CF98C985AAEBBF4BF09305F148466E855FB390D778AA41CF55
                          APIs
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00403E4E,00000000,?,0000011C), ref: 00403DC1
                            • Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
                            • Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
                            • Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
                            • Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00403E4E,00000000,?,0000011C), ref: 00403DF7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2077224145.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
                          • String ID: $d.log
                          • API String ID: 635875880-1910398676
                          • Opcode ID: 596067efd1d70e71452a917ac77f7634f6861e6932447c6e6420039467924f9e
                          • Instruction ID: ac6dd0e6687c57a2322cdc8011629eff706fdab16a0174ef90b3a49cae1c3f8c
                          • Opcode Fuzzy Hash: 596067efd1d70e71452a917ac77f7634f6861e6932447c6e6420039467924f9e
                          • Instruction Fuzzy Hash: 46F0BEB16001207FA3246A6ACC09C777EAEDBC2B71304433ABC18EB3D0D9309C0082B0